SECURITY BUG IN INTERACTIVE UNIX SYSV386
Chip Rosenthal
chip at chinacat.Unicom.COM
Thu Feb 21 10:52:57 AEST 1991
In article <1991Feb20.005322.24769 at scuzzy.in-berlin.de>
src at scuzzy.in-berlin.de (Heiko Blume) writes:
>well, HOW did they [SCO] fix it???
By looking at <sys/user.h>, it looks like they used the AT&T 3.2.1
approach. The fp registers appear at the very top of the structure,
along with kstack. Therefore, this page could be mapped into user
space, leaving the second page with the sensitive stuff untouchable.
What I'm really curious about is how XENIX does it. The fp emulation
is done in the kernel, but it does not appear that XENIX maps any
portion of the user structure into user space. I think I've found
the address at which user is placed, but any attempt to access it
dumps core. I'm wondering if the working registers for the fp emulator
are maintained elsewhere, and moved into/out of the user structure
when a process is scheduled/unscheduled, just as the hardware coprocessor
registers are.
--
Chip Rosenthal 512-482-8260 |
Unicom Systems Development | I saw Elvis in my wtmp file.
<chip at chinacat.Unicom.COM> |
More information about the Comp.unix.sysv386
mailing list