* [9fans] devproc procctl close bug
@ 2014-05-26 20:09 cinap_lenrek
2014-05-26 20:27 ` erik quanstrom
0 siblings, 1 reply; 4+ messages in thread
From: cinap_lenrek @ 2014-05-26 20:09 UTC (permalink / raw)
To: 9fans
theres a bug in devproc again.
the fd is not bounds checked for the "close fd"
procctl command and the "closefiles" command misses
the last fd as it iterates from:
fd=0 to maxfd-1 and not to maxfd in procctlclosefiles()
static void
procctlcloseone(Proc *p, Fgrp *f, int fd)
{
Chan *c;
c = f->fd[fd]; // <-- not checked
if(c == nil)
return;
f->fd[fd] = nil;
unlock(f);
qunlock(&p->debug);
cclose(c);
qlock(&p->debug);
lock(f);
}
procctlclosefiles(Proc *p, int all, int fd)
{
int i;
Fgrp *f;
f = p->fgrp;
if(f == nil)
error(Eprocdied);
lock(f);
f->ref++;
if(all)
for(i = 0; i < f->maxfd; i++) // <-- wrong
procctlcloseone(p, f, i);
else
procctlcloseone(p, f, fd);
unlock(f);
closefgrp(f);
}
...
case CMclose:
procctlclosefiles(p, 0, atoi(cb->f[1])); // <-- fd can be anything
break;
case CMclosefiles:
procctlclosefiles(p, 1, 0);
break;
--
cinap
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [9fans] devproc procctl close bug
2014-05-26 20:09 [9fans] devproc procctl close bug cinap_lenrek
@ 2014-05-26 20:27 ` erik quanstrom
2014-05-26 20:31 ` cinap_lenrek
0 siblings, 1 reply; 4+ messages in thread
From: erik quanstrom @ 2014-05-26 20:27 UTC (permalink / raw)
To: 9fans
On Mon May 26 16:10:59 EDT 2014, cinap_lenrek@felloff.net wrote:
> theres a bug in devproc again.
>
> the fd is not bounds checked for the "close fd"
> procctl command and the "closefiles" command misses
> the last fd as it iterates from:
good catch. appled patch to 9atom.
- erik
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [9fans] devproc procctl close bug
2014-05-26 20:27 ` erik quanstrom
@ 2014-05-26 20:31 ` cinap_lenrek
2014-05-26 20:33 ` erik quanstrom
0 siblings, 1 reply; 4+ messages in thread
From: cinap_lenrek @ 2014-05-26 20:31 UTC (permalink / raw)
To: 9fans
excellent :)
--
cinap
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [9fans] devproc procctl close bug
2014-05-26 20:31 ` cinap_lenrek
@ 2014-05-26 20:33 ` erik quanstrom
0 siblings, 0 replies; 4+ messages in thread
From: erik quanstrom @ 2014-05-26 20:33 UTC (permalink / raw)
To: 9fans
On Mon May 26 16:32:54 EDT 2014, cinap_lenrek@felloff.net wrote:
> excellent :)
why, do you plan a plan 9 botnet that exploits this hole :-).
- erik
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2014-05-26 20:33 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-05-26 20:09 [9fans] devproc procctl close bug cinap_lenrek
2014-05-26 20:27 ` erik quanstrom
2014-05-26 20:31 ` cinap_lenrek
2014-05-26 20:33 ` erik quanstrom
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).