Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754644AbXFIPPl (ORCPT ); Sat, 9 Jun 2007 11:15:41 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751974AbXFIPPe (ORCPT ); Sat, 9 Jun 2007 11:15:34 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:60855 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751883AbXFIPPd (ORCPT ); Sat, 9 Jun 2007 11:15:33 -0400 Date: Sat, 9 Jun 2007 16:15:21 +0100 From: Al Viro To: Ulrich Drepper Cc: Linus Torvalds , Davide Libenzi , Alan Cox , Theodore Tso , Eric Dumazet , Kyle Moffett , Linux Kernel Mailing List , Andrew Morton , Ingo Molnar Subject: Re: [patch 7/8] fdmap v2 - implement sys_socket2 Message-ID: <20070609151521.GD4095@ftp.linux.org.uk> References: <4669A351.4010403@redhat.com> <20070608184650.GA4095@ftp.linux.org.uk> <4669A674.4080309@redhat.com> <20070609003622.GB4095@ftp.linux.org.uk> <466A0020.50406@redhat.com> <20070609014140.GC4095@ftp.linux.org.uk> <466A0BFB.3070908@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <466A0BFB.3070908@redhat.com> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1245 Lines: 34 On Fri, Jun 08, 2007 at 07:10:03PM -0700, Ulrich Drepper wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Al Viro wrote: > > Any real-world examples of exploitable holes based on that? > > Return to libc exploit, calling dup2, where some privileged data is > redirected from the normal file descriptor to one of the attackers > choosing. The latter could be an outgoing socket connection which would > result in leaking the data to the outside. > > normal code intruder > > so = socket() > > fd = open ("local-file") > > dup2(so, fd); > > write (fd, privileged data) > > > It's just a little function call. If the arguments of dup2() are known > this is not a big issue to construct. So which code is supposed to do that open/write in your example? Library? Unmodified application? Application specifically modified to make *that* open() randomized? - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/