OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: Re: strace can lie

Re: strace can lie

Subject: Re: strace can lie
From: Sampo Savolainen (v2MOONTV.FI)
Date: Tue Dec 28 1999 - 05:24:45 CST

On Sat, 25 Dec 1999, Pavel Machek wrote:

> void
> main(void)
> {
> char *c = 0x94000000;
> open( "/tmp/delme", O_RDWR );
> mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
> *c = 0;
> if (fork()) {
> while(1) {
> strcpy( c, "/public" );
> strcpy( c, "/secret" );
> }
> } else
> while (1)
> open( c, 0 );
> }

> [pid 224] open("/public", O_RDONLY) = 718
> [pid 224] open("/secret", O_RDONLY) = 719
> [pid 224] open("/public", O_RDONLY) = 720

I tried this with Linux 2.3.20, it worked fine:

cristobal:~# ls -l /secret /public
-rw-rw-r-- 1 root root 7 Dec 28 13:17 /public
--w--w---- 1 root root 7 Dec 28 13:17 /secret

and the strace log:

[pid 10999] open("/public", O_RDONLY) = 192
[pid 10999] open("/secret", O_RDONLY) = -1 EACCES (Permission denied)

..most of the time.

from 1270 tried opens, 11 tries had the wrong filename read from memory.

Does the kernel save the filename anywhere in the filedescriptor arrays?
If it does, then strace could be easily modified to read the filename from
the kernel, not from the programs userspace.

------------------------------------------------------------------------------
v2 - Sampo Savolainen - 040 7555649 Saraxa Media / Finngemma Tuotanto Oy

This archive was generated by hypermail 2b27 : Tue Dec 28 1999 - 09:41:55 CST