From owner-freebsd-audit Tue Jan 9 21:56:20 2001 Delivered-To: freebsd-audit@freebsd.org Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13]) by hub.freebsd.org (Postfix) with ESMTP id 0950837B400 for ; Tue, 9 Jan 2001 21:56:03 -0800 (PST) Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=root) by scientia.demon.co.uk with esmtp (Exim 3.20 #1) id 14GEEr-000NU6-00; Wed, 10 Jan 2001 05:56:01 +0000 Received: (from ben@localhost) by strontium.scientia.demon.co.uk (8.11.1/8.11.1) id f0A5txH35146; Wed, 10 Jan 2001 05:56:00 GMT (envelope-from ben) Date: Wed, 10 Jan 2001 05:55:59 +0000 From: Ben Smithurst To: Warner Losh Cc: audit@FreeBSD.ORG Subject: Re: stupid bug in getsid() Message-ID: <20010110055559.N79365@strontium.scientia.demon.co.uk> References: <20010109061916.E79365@strontium.scientia.demon.co.uk> <200101100543.f0A5hIs59275@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200101100543.f0A5hIs59275@harmony.village.org> Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Warner Losh wrote: > What are the impacts of this bug? What does it allow you to do that > you shouldn't be able to do, if any? I don't think it does, it seems that you can basically only use getsid() on the current process (the test is basically pt != pfind(uap->pid), with pt initialized to the process making the sytem call). Here's what revision 1.43 said: ---------------------------- revision 1.43 date: 1998/12/13 07:07:51; author: truckman; state: Exp; lines: +11 -5 branches: 1.43.2; getpgid() and getsid() were doing a comparision rather than an assignment, which is fortunate, because otherwise another bug would allow them to be used to stomp on the syscall return value of another process. ---------------------------- Unfortunately, while getpgid() was fixed with that commit: - if ((p == pfind(uap->pid)) == 0) + if ((pt = pfind(uap->pid)) == 0) getsid() got missed: - if ((p == pfind(uap->pid)) == 0) + if ((pt == pfind(uap->pid)) == 0) -- Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message