[TUHS] Old Unix vulnerabilities
Tony Finch
dot at dotat.at
Mon May 15 19:46:08 AEST 2017
Random832 <random832 at fastmail.com> wrote:
> On Sat, May 13, 2017, at 19:34, Dave Horsfall wrote:
> >
> > A beauty in V6 (and possibly V7) was discovered by the kiddies in Elec
> > Eng; by sending a signal with an appropriately-crafted negative value (as
> > determined from inspecting <user.h>) you could overwrite u.u_uid with
> > zero... Needless to say I scrambled to fix that one on my 11/40 network!
>
> V7 fixes it by changing the if(sig >= NSIG) in psignal to cast it to
> unsigned.
Even without that check V7 wouldn't be vulnerable. In V6, the
vulnerability occurs in psig() when the signal action is reset:
http://minnie.tuhs.org/cgi-bin/utree.pl?file=V6/usr/sys/ken/sig.c
rp = u.u_procp;
n = rp->p_sig;
rp->p_sig = 0;
if((p=u.u_signal[n]) != 0) {
u.u_error = 0;
if(n != SIGINS && n != SIGTRC)
u.u_signal[n] = 0;
/* if n < 0 this can overwrite u.u_uid */
In V7, instead of a single pending signal, there is a bitmap of pending
signals, so the corresponding code is,
http://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/sys/sys/sig.c
n = fsig(rp);
if (n==0)
return;
rp->p_sig &= ~(1<<(n-1));
if((p=u.u_signal[n]) != 0) {
u.u_error = 0;
if(n != SIGINS && n != SIGTRC)
u.u_signal[n] = 0;
/* always within the array bounds */
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Viking, North Utsire, South Utsire, Northeast Forties: Variable becoming
southeasterly 3 or 4, increasing 5 to 7, perhaps gale 8 later. Slight or
moderate becoming moderate or rough later. Fog patches, rain later. Moderate,
occasionally very poor.
More information about the TUHS
mailing list