Re: digital unix 4.0 hole

jodaPDC.KTH.SE

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Charles M. Hannum: "Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:"
• Previous message: Charles M. Hannum: "BSDI patch for Pentium workaround has problems"
• In reply to: John McDonald: "digital unix 4.0 hole"
• Next in thread: Emmanuel Gadaix: "Re: digital unix 4.0 hole"

John McDonald <jmcdonalOSPREY.UNF.EDU> writes:

> If you run dbx (tested on 3.11.10) on a setuid root program that you
> have read access to, the program will core dump and create a root
> owned 600 perm core in the current directory.

The problem isn't procfs per se, but rather that it causes the program
to dump core.

What happens in that in core(), vn_open() is called just before it's
supposed to `temporarily restore real user/group ids for file
operations'. For anyone with source, the fun happens around line 4350
in kernel/bsd/kern_sig.c.

If you're *real* paranoid about this, you might be able to:

# cp /vmunix /vmunix.save
# dbx /vmunix
dbx version 3.11.10
Type 'help' for help.

main:    Source not available

warning: Files compiled -g3: parameter values probably wrong
(dbx) ((unsigned*)core+82)/1 i
  [core:5261, 0xfffffc000026ff48]       and     r1, r2, r1
(dbx) patch *((unsigned*)core+82) = 0x203f0001
  [core:5261, 0xfffffc000026ff48]       lda     r1, 1(r31)
(dbx) q
# reboot

This might work with 4.0[ABC]; I haven't tried it though. :-) It
should completely disable all core dumps.

/Johan

• Next message: Charles M. Hannum: "Re: Pentium bug workaround in NetBSD (was Re: Intel Pentium Bug:"
• Previous message: Charles M. Hannum: "BSDI patch for Pentium workaround has problems"
• In reply to: John McDonald: "digital unix 4.0 hole"
• Next in thread: Emmanuel Gadaix: "Re: digital unix 4.0 hole"