Re: 2.2.0 SECURITY

pacman (pacman-kernel@cqc.com)
Wed, 27 Jan 1999 03:32:12 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: David S. Miller: "Re: tcpdump & libpcap"
Previous message: Jeremy Fitzhardinge: "Re: 2.2.0 SECURITY"
In reply to: Tom Holroyd: "ldd & pmd"
Next in thread: Jeremy Fitzhardinge: "Re: 2.2.0 SECURITY"

David S. Miller writes the following:
>What it should be doing is:
>
>1) Exec'ing /lib/ld-linux.so.2
>2) That reads in the ELF header of the core file
>3) Next it mmap's all of the segments
>4) Next it jumps into lala-land in on of the final mmaps
> is got, and dies with an illegal instruction on Sparc
>
>I think something hokey is happening at step #4 on Intel if the timing
>is right as the process is being killed...

Well, here's a strace -i -f ldd notcore:

[pid 378] [2aab1127] geteuid() = 500
[pid 378] [2aab11a7] getegid() = 500
[pid 378] [2aab13ec] brk(0) = 0x2aab49f8
[pid 378] [2aab13ec] brk(0x2aab59f8) = 0x2aab59f8
[pid 378] [2aab1304] open("./notcore", O_RDONLY) = 3
[pid 378] [2aab14dd] mmap(0, 4096, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40000000
[pid 378] [2aab1521] munmap(0x40000000, 4096) = 0
[pid 378] [2aab14dd] mmap(0x8048000, 4096, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x8048000
[pid 378] [2aab14dd] mmap(0x8049000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x1000) = 0x8049000
[pid 378] [2aab14dd] mmap(0x40000000, 40960, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x40000000
[pid 378] [2aab14dd] mmap(0x4000a000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x2000) = 0x4000a000
[pid 378] [2aab14dd] mmap(0x4000e000, 593920, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x4000e000
[pid 378] [2aab14dd] mmap(0x4009f000, 32768, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0x3000) = 0x4009f000
[pid 378] [2aab14dd] mmap(0x400a7000, 49152, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED, 3, 0xb000) = 0x400a7000
[pid 378] [2aab14dd] mmap(0xbffff000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED, 3, 0x17000free_one_pmd: bad directory entry 000001e3
) = 0xbffff000

afterwards, it's not dead, but the ldd is hung, and ps shows:
tmpguy 377 0.0 0.2 1212 676 1 T 19:54 0:00 sh /usr/bin/ldd notcore
tmpguy 378 0.0 0.0 764 44 1 R 19:54 0:00 \37777777777\37777777773 \017 \37777777666\37777777776\37777777777\37777777677

/proc/378/maps is:
08048000-08049000 r-xp 00000000 00:00 0
08049000-0804a000 rw-p 00001000 08:09 17 /tmp/notcore
2aaaa000-2aab4000 r-xp 00000000 08:01 1997 /lib/ld-2.0.7.so
2aab4000-2aab5000 rw-p 00009000 08:01 1997 /lib/ld-2.0.7.so
2aab5000-2aab6000 rwxp 00000000 00:00 0
40000000-4000a000 r-xp 00000000 00:00 0
4000a000-4000b000 rw-p 00002000 08:09 17 /tmp/notcore
4000e000-4009f000 r-xp 00000000 00:00 0
4009f000-400b3000 rw-p 00003000 08:09 17 /tmp/notcore
bffff000-c0000000 rwxp 00017000 08:09 17 /tmp/notcore

Everything degenerates pretty quickly after that though, with the pc speaker
going into continuous-beep to signal when it's time to hit the big red
button.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: David S. Miller: "Re: tcpdump & libpcap"
Previous message: Jeremy Fitzhardinge: "Re: 2.2.0 SECURITY"
In reply to: Tom Holroyd: "ldd & pmd"
Next in thread: Jeremy Fitzhardinge: "Re: 2.2.0 SECURITY"