Re: Linux clone() looks safe (Re: Vulnerability in 4.4BSD rfork()

Marc Slemko (marcs@ZNEP.COM)
Sun, 03 Aug 1997 17:38:22 -0600

On Sat, 2 Aug 1997, Jeff Epler wrote:

> On Sat, Aug 02, 1997 at 08:02:04PM -0500, Thomas H. Ptacek wrote:
> > Vulnerability in rfork() System Call
> > A vulnerability in certain 4.4BSD kernels allows processes to gain
> > access to restricted resources by manipulating the file descriptor
> > tables of SUID and SGID executables. Applications of this vulnerability
> > will allow users to gain root access.
>
> A look at the source code for Linux kernel 2.0.30 and an attempted
> exploit seem to show that linux clone() does not have the weakness
> discovered in rfork().

I took a quick look at the behavior of IRIX's sproc() (on 6.2), and it
appears to be safe, but it may be more out of luck and/or bugs than
design.

If you do a sproc() then have the child exec something (regardless of if
what it execs is setuid or not) and open a file descriptor in the child,
when the parent write()s to that descriptor it does _not_ return an error
condition but it doesn't get written to the file either; it appears to
just vanish. If you try to write from the parent to a fd that is closed,
it does properly return an error.

Finally, a welcome change from all the buffer overflows. Trivial to
exploit to gain root, but still a nice change of pace.