Date: Wed, 10 Jan 2001 05:55:59 +0000 From: Ben Smithurst <ben@FreeBSD.org> To: Warner Losh <imp@harmony.village.org> Cc: audit@FreeBSD.ORG Subject: Re: stupid bug in getsid() Message-ID: <20010110055559.N79365@strontium.scientia.demon.co.uk> In-Reply-To: <200101100543.f0A5hIs59275@harmony.village.org> References: <20010109061916.E79365@strontium.scientia.demon.co.uk> <200101100543.f0A5hIs59275@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote: > What are the impacts of this bug? What does it allow you to do that > you shouldn't be able to do, if any? I don't think it does, it seems that you can basically only use getsid() on the current process (the test is basically pt != pfind(uap->pid), with pt initialized to the process making the sytem call). Here's what revision 1.43 said: ---------------------------- revision 1.43 date: 1998/12/13 07:07:51; author: truckman; state: Exp; lines: +11 -5 branches: 1.43.2; getpgid() and getsid() were doing a comparision rather than an assignment, which is fortunate, because otherwise another bug would allow them to be used to stomp on the syscall return value of another process. ---------------------------- Unfortunately, while getpgid() was fixed with that commit: - if ((p == pfind(uap->pid)) == 0) + if ((pt = pfind(uap->pid)) == 0) getsid() got missed: - if ((p == pfind(uap->pid)) == 0) + if ((pt == pfind(uap->pid)) == 0) -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010110055559.N79365>