Bugtraq mailing list archives

Re: strace can lie

From: v2 () MOONTV FI (Sampo Savolainen)
Date: Tue, 28 Dec 1999 13:24:45 +0200


On Sat, 25 Dec 1999, Pavel Machek wrote:

void
main(void)
{
  char *c = 0x94000000;
  open( "/tmp/delme", O_RDWR );
  mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0);
  *c = 0;
  if (fork()) {
    while(1) {
      strcpy( c, "/public" );
      strcpy( c, "/secret" );
    }
  } else
    while (1)
      open( c, 0 );
}

[pid   224] open("/public", O_RDONLY)  = 718
[pid   224] open("/secret", O_RDONLY)  = 719
[pid   224] open("/public", O_RDONLY)  = 720


I tried this with Linux 2.3.20, it worked fine:

cristobal:~# ls -l /secret /public
-rw-rw-r--   1 root     root            7 Dec 28 13:17 /public
--w--w----   1 root     root            7 Dec 28 13:17 /secret

and the strace log:

[pid 10999] open("/public", O_RDONLY)   = 192
[pid 10999] open("/secret", O_RDONLY)   = -1 EACCES (Permission denied)

..most of the time.

from 1270 tried opens, 11 tries had the wrong filename read from memory.

Does the kernel save the filename anywhere in the filedescriptor arrays?
If it does, then strace could be easily modified to read the filename from
the kernel, not from the programs userspace.

------------------------------------------------------------------------------
v2 - Sampo Savolainen - 040 7555649       Saraxa Media / Finngemma Tuotanto Oy

Current thread:

strace can lie Pavel Machek (Dec 25)
- Re: strace can lie Sampo Savolainen (Dec 28)
- Local / Remote D.o.S Attack in Savant Web Server V2.0 WIN9X / NT / 2K Ussr Labs (Dec 28)
- <Possible follow-ups>
- Re: strace can lie der Mouse (Dec 27)
- strace can lie Misha Dankov (Dec 28)