[37070] in bugtraq
Re: CAN-2004-0814: Linux terminal layer races
daemon@ATHENA.MIT.EDU (Pavel Kankovsky)
Mon Oct 25 23:32:16 2004
Message-ID: <20041023170343.27193.qmail@paddy.troja.mff.cuni.cz>
From: "Pavel Kankovsky" <peak@argo.troja.mff.cuni.cz>
Date: Sat, 23 Oct 2004 19:03:43 +0200 (CEST)
To: bugtraq@securityfocus.com
Cc: Alan Cox <alan@lxorguk.ukuu.org.uk>
In-Reply-To: <1098312181.12412.63.camel@localhost.localdomain>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 20 Oct 2004, Alan Cox wrote:
> Firstly a user can cause crashes and other undefined behaviour by
> issuing a TIOCSETLD ioctl on a terminal interface while another thread
1. Did you mean TIOCSETD?
2. Sigh. TIOCSETD should have been restricted to root (+) since 1999. (*)
(*) Since the "user-rawip-attack" vuln reported by Marc Shaefer.
(+) Perhaps with some workaround to address the problem with processes
setting the ldisc, dropping the root, and being unable to restore ldisc
back to N_TTY when they exit.
--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."
