| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <95180.1228448127@turing-police.cc.vt.edu>
Date: Thu, 04 Dec 2008 22:35:27 -0500
From: Valdis.Kletnieks@...edu
To: Geoffrey McRae <geoff@...idhost.com>
Cc: Peter Teoh <htmldeveloper@...il.com>,
Alan Cox <alan@...rguk.ukuu.org.uk>,
Nick Andrew <nick@...k-andrew.net>,
linux-kernel@...r.kernel.org
Subject: Re: New Security Features, Please Comment
On Fri, 05 Dec 2008 09:30:54 +1100, Geoffrey McRae said:
> On Thu, 2008-12-04 at 16:56 -0500, Valdis.Kletnieks@...edu wrote:
> > while (getpid()) msleep(1);
> > /* malicious code here */
> >
>
> This would only be dangerous if the parent did not wait for the child to
> finish its task before changing its uid, which for a FastCGI app, it has
> to as it needs the response to send back to the client. All that would
> happen here is the CGI script would sleep forever, or until the HTTP
> server killed the process.
Thus providing me with a way to DoS your webserver by sticking all your
server processes into a sleep-forever... :)
You're also overlooking the fact that the malicious code could do something
like this:
/* send the parent something that makes it *think* the request finished */
printf("We're all done now\n");
while (getpid()) msleep (1);
Remember - whatever the child is doing to signal that it's done, can *also*
be done by the exploit code. There's only one real exception - the child
can call exit() - if the exploit exits so a SIGCHLD is generated, then
it can't run anymore. However, since the whole *point* here is avoiding
the usual exit/fork/exec overhead...
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists