This is the mail archive of the libc-alpha@sourceware.cygnus.com mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]

Re: [Michal Zalewski <lcamtuf@IDS.PL>] [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x


   From: Andreas Schwab <schwab@suse.de>
   Date: 25 Aug 1999 11:33:24 +0200

   Ulrich Drepper <drepper@cygnus.com> writes:

   |> Andreas Jaeger <aj@arthur.rhein-neckar.de> writes:
   |> 
   |> > I found this on BugTray.  Michal describes an exploit based on
   |> > pt_chown.  Could anybody check this, please?
   |> 
   |> Already fixed.  The glibc 2.1 one, I mean.

   ??? I cannot see any changes in the 2.1 branch, and what you checked in
   into the main branch makes pt_chown completely useless.

What do you mean Andreas?  The fact that unix98_pseudo_p is passed the
total device number wheras the actually implementation is designed to
get only the device major?  Or are you referring to the fact that
unix98_pseudo_p doesn't check for BSD-style pseudo terminals?
IMHO this check shouldn't be necessary.

The real problem lies in the fact that pt_chown assumes that ptsname()
will fail if the file descriptor is not a valid master pseudo
terminal.  This assumption is wrong.  If you pass ptsname() a file
descriptor for the slave it simply returns the name of that particular
slave.  So I think that ptsname should be fixed.  Here is an
(untested) patch (I'm not at home right now so I cannot test it).

Mark


1999-08-25  Mark Kettenis  <kettenis@gnu.org>

	* sysdeps/unix/sysv/linux/ptsname.c: Add checks to make sure we're
	really dealing with a master pseudo terminal, and really returning
	the name of the associated slave pseudo terminal by checking the
	device number.


--- /scratch/kettenis/CVS/libc/sysdeps/unix/sysv/linux/ptsname.c	Sun Dec 13 15:51:27 1998
+++ libc/sysdeps/unix/sysv/linux/ptsname.c	Wed Aug 25 14:08:59 1999
@@ -29,6 +29,23 @@
 
 #include <stdio-common/_itoa.h>
 
+/* Check if DEV corresponds to a master pseudo terminal device.  */
+#define MASTER_P(Dev)                                                         \
+  (major ((Dev)) == 2                                                         \
+   || (major ((Dev)) == 4 && minor ((Dev)) >= 128 && minor ((Dev)) < 192)     \
+   || (major ((Dev)) >= 128 && major ((Dev)) < 136))
+
+/* Check if DEV corresponds to a master pseudo terminal device.  */
+#define SLAVE_P(Dev)                                                          \
+  (major ((Dev)) == 3                                                         \
+   || (major ((Dev)) == 4 && minor ((Dev)) >= 192 && minor ((Dev)) < 256)     \
+   || (major ((Dev)) >= 136 && major ((Dev)) < 144))
+
+/* Note that major number 4 corresponds to the old BSD style pseudo
+   terminal devices.  As of Linux 2.1.115 these are no longer
+   supported.  They have been replaced by major numbers 2 (masters)
+   and 3 (slaves).  */
+     
 /* Directory where we can find the slave pty nodes.  */
 #define _PATH_DEVPTS "/dev/pts/"
 
@@ -107,7 +124,16 @@
       if (__fstat (fd, &st) < 0)
 	return errno;
 
+      /* Check if FD really is a master pseudo terminal.  */
+      if (! MASTER_P (st.st_rdev))
+	{
+	  __set_errno (ENOTTY);
+	  return ENOTTY;
+	}
+
       ptyno = minor (st.st_rdev);
+      /* This is for the old BSD pseudo terminals.  As of Linux
+         2.1.115 these are no longer supported.  */
       if (major (st.st_rdev) == 4)
 	ptyno -= 128;
 
@@ -125,6 +151,15 @@
 
   if (__xstat (_STAT_VER, buf, &st) < 0)
     return errno;
+
+  /* Check if the name we're about to return really corresponds to a
+     slave pseudo terminal.  */
+  if (! S_ISCHR (st.st_mode) || ! SLAVE_P (st.st_rdev))
+    {
+      /* This really is a configuration problem.  */
+      __set_errno (ENOTTY);
+      return ENOTTY;
+    }
 
   __set_errno (save_errno);
   return 0;



Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]