SECURITY BUG IN INTERACTIVE UNIX SYSV386

[Sean Eric Fagan]

In article <54663 at bigtex.cactus.org> james at bigtex.cactus.org (James Van Artsdalen) writes:
>Key point: some reports say that the 387 emulation actually crashes in
>systems if the u block is protected.  I don't know if the source to
>the emulator is in the "source" package one receives from AT&T.
>Fixing the bug might be non-trivial if it is in the emulator, and you
>don't have source for the emulator.

Once again:  the '387 emulator runs in ring three (just as your process
does) for speed reasons.  (Take a look at the costs to go from ring three to
any lower ring sometime; it's disgusting.)  Since it runs in the same ring
as your process, it looks just like it is part of your process (i.e., if
you're using the emulator, you seem to have a multi-segment process).  Since
it needs to keep the fp registers somewhere, and they are very much
process-related, the "proper" place to keep them is in the u area, just like
other registers.  Since the emulator needs to be able to write to the
registers in the u area, your process can *also* write to the registers in
the u area.

Since the registers are in the same page as, oh, the uid, in some versions
of 3.2 (ISC and ESIX seem to be the major ones), and since writability is on
a page-level basis (not a byte-level or word-level basis), everything in
that page, including, oh, the uid, is writable.

The bug is not in the emulator, and having sources won't fix the problem.
The "bug" is in the entire way it's set up, and, to fix it, you need to
rearrange lots of things.  (Well, actually, just move some things around.)

Again, just my $0.03...

-- 
Sean Eric Fagan  | "I made the universe, but please don't blame me for it;
sef at kithrup.COM  |  I had a bellyache at the time."
-----------------+           -- The Turtle (Stephen King, _It_)
Any opinions expressed are my own, and generally unpopular with others.