[Michal Zalewski <lcamtuf@IDS.PL>] [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
Mark Kettenis
kettenis@wins.uva.nl
Wed Aug 25 05:13:00 GMT 1999
From: Andreas Schwab <schwab@suse.de>
Date: 25 Aug 1999 11:33:24 +0200
Ulrich Drepper <drepper@cygnus.com> writes:
|> Andreas Jaeger <aj@arthur.rhein-neckar.de> writes:
|>
|> > I found this on BugTray. Michal describes an exploit based on
|> > pt_chown. Could anybody check this, please?
|>
|> Already fixed. The glibc 2.1 one, I mean.
??? I cannot see any changes in the 2.1 branch, and what you checked in
into the main branch makes pt_chown completely useless.
What do you mean Andreas? The fact that unix98_pseudo_p is passed the
total device number wheras the actually implementation is designed to
get only the device major? Or are you referring to the fact that
unix98_pseudo_p doesn't check for BSD-style pseudo terminals?
IMHO this check shouldn't be necessary.
The real problem lies in the fact that pt_chown assumes that ptsname()
will fail if the file descriptor is not a valid master pseudo
terminal. This assumption is wrong. If you pass ptsname() a file
descriptor for the slave it simply returns the name of that particular
slave. So I think that ptsname should be fixed. Here is an
(untested) patch (I'm not at home right now so I cannot test it).
Mark
1999-08-25 Mark Kettenis <kettenis@gnu.org>
* sysdeps/unix/sysv/linux/ptsname.c: Add checks to make sure we're
really dealing with a master pseudo terminal, and really returning
the name of the associated slave pseudo terminal by checking the
device number.
--- /scratch/kettenis/CVS/libc/sysdeps/unix/sysv/linux/ptsname.c Sun Dec 13 15:51:27 1998
+++ libc/sysdeps/unix/sysv/linux/ptsname.c Wed Aug 25 14:08:59 1999
@@ -29,6 +29,23 @@
#include <stdio-common/_itoa.h>
+/* Check if DEV corresponds to a master pseudo terminal device. */
+#define MASTER_P(Dev) \
+ (major ((Dev)) == 2 \
+ || (major ((Dev)) == 4 && minor ((Dev)) >= 128 && minor ((Dev)) < 192) \
+ || (major ((Dev)) >= 128 && major ((Dev)) < 136))
+
+/* Check if DEV corresponds to a master pseudo terminal device. */
+#define SLAVE_P(Dev) \
+ (major ((Dev)) == 3 \
+ || (major ((Dev)) == 4 && minor ((Dev)) >= 192 && minor ((Dev)) < 256) \
+ || (major ((Dev)) >= 136 && major ((Dev)) < 144))
+
+/* Note that major number 4 corresponds to the old BSD style pseudo
+ terminal devices. As of Linux 2.1.115 these are no longer
+ supported. They have been replaced by major numbers 2 (masters)
+ and 3 (slaves). */
+
/* Directory where we can find the slave pty nodes. */
#define _PATH_DEVPTS "/dev/pts/"
@@ -107,7 +124,16 @@
if (__fstat (fd, &st) < 0)
return errno;
+ /* Check if FD really is a master pseudo terminal. */
+ if (! MASTER_P (st.st_rdev))
+ {
+ __set_errno (ENOTTY);
+ return ENOTTY;
+ }
+
ptyno = minor (st.st_rdev);
+ /* This is for the old BSD pseudo terminals. As of Linux
+ 2.1.115 these are no longer supported. */
if (major (st.st_rdev) == 4)
ptyno -= 128;
@@ -125,6 +151,15 @@
if (__xstat (_STAT_VER, buf, &st) < 0)
return errno;
+
+ /* Check if the name we're about to return really corresponds to a
+ slave pseudo terminal. */
+ if (! S_ISCHR (st.st_mode) || ! SLAVE_P (st.st_rdev))
+ {
+ /* This really is a configuration problem. */
+ __set_errno (ENOTTY);
+ return ENOTTY;
+ }
__set_errno (save_errno);
return 0;
More information about the Libc-alpha
mailing list