Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: strace can lie
From: v2 () MOONTV FI (Sampo Savolainen)
Date: Tue, 28 Dec 1999 13:24:45 +0200


On Sat, 25 Dec 1999, Pavel Machek wrote:

void
main(void)
{
  char *c = 0x94000000;
  open( "/tmp/delme", O_RDWR );
  mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
  *c = 0;
  if (fork()) {
    while(1) {
      strcpy( c, "/public" );
      strcpy( c, "/secret" );
    }
  } else
    while (1)
      open( c, 0 );
}

[pid   224] open("/public", O_RDONLY)  = 718
[pid   224] open("/secret", O_RDONLY)  = 719
[pid   224] open("/public", O_RDONLY)  = 720

I tried this with Linux 2.3.20, it worked fine:

cristobal:~# ls -l /secret /public
-rw-rw-r--   1 root     root            7 Dec 28 13:17 /public
--w--w----   1 root     root            7 Dec 28 13:17 /secret

and the strace log:

[pid 10999] open("/public", O_RDONLY)   = 192
[pid 10999] open("/secret", O_RDONLY)   = -1 EACCES (Permission denied)

..most of the time.

from 1270 tried opens, 11 tries had the wrong filename read from memory.

Does the kernel save the filename anywhere in the filedescriptor arrays?
If it does, then strace could be easily modified to read the filename from
the kernel, not from the programs userspace.

------------------------------------------------------------------------------
v2 - Sampo Savolainen - 040 7555649       Saraxa Media / Finngemma Tuotanto Oy


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]