Current devel kernel - possible security hole

Paul paul at all-the-johnsons.co.uk
Fri Aug 5 10:35:45 UTC 2005 

Hi,

Using kernel-2.6.12-1.1448_FC5

Is there any way to check a potential hole I unearthed last night? I
need to know if it is Mono causing the problem or the kernel or some
other component.

I have a small mono application which uses threading. Somehow, I managed
to run the application and kill the desktop, but was then able to
access, as a standard user, and both read and write to anywhere on my
hard drive.

I can reproduce the problem with the same application, but not with same
code using C or C++.

Can anyone advise me on this? I don't know if it is the threading model
used in mono (which I have a feeling is POSIX so that shouldn't make
much of a difference), a FC component or the kernel. Source code is
below - sorry about it being in C#. The code was deliberately written to
chew system resources.

TTFN

Paul

using System;
using System.Threading;
using System.Windows.Forms;
using System.Drawing;

public class Sharing1 : Form
{
  private TextBox accessCountBox = new TextBox();
  private Button start = new Button();
  private Button watch = new Button();
  private int accessCount = 0;

  public void incrementAccess()
  {
    accessCount++;
    accessCountBox.Text = accessCount.ToString();
  }

  private int numCounters = 12;
  private int numWatchers = 15;
  private TwoCounter[] s;

  public Sharing1()
  {
    ClientSize = new Size(450, 480);
    Panel p = new Panel();
    p.Size = new Size(400, 50);
    start.Click += new EventHandler(StartAllThreads);
    watch.Click += new EventHandler(StartAllWatchers);

    accessCountBox.Text = "0";
    accessCountBox.Location = new Point(10, 10);
    start.Text = "Start threads";
    start.Location = new Point(110, 10);
    watch.Text = "Begin watching";
    watch.Location = new Point(210, 10);

    p.Controls.Add(start);
    p.Controls.Add(watch);
    p.Controls.Add(accessCountBox);

    s = new TwoCounter[numCounters];
    for (int i = 0; i < s.Length; i++)
    {
      s[i] = new TwoCounter(new
TwoCounter.IncrementAccess(incrementAccess));
      s[i].Location = new Point(10, 50 + s[i].Height * i);
      Controls.Add(s[i]);
    }

    this.Closed += new EventHandler(StopAllThreads);
    Controls.Add(p);
  }

  public void StartAllThreads(object sender, EventArgs ea)
  {
    for (int i = 0; i < s.Length; i++)
      s[i].Start();
  }

  public void StopAllThreads(object sender, EventArgs ea)
  {
    for (int i = 0; i < s.Length; i++)
      if (s[i] != null)
	s[i].Stop();
  }

  public void StartAllWatchers(object sender, EventArgs ea)
  {
    for (int i = 0; i < numWatchers; i++)
      new Watcher(s);
  }

  public static void Main(string [] args)
  {
    Sharing1 app = new Sharing1();
    if (args.Length > 0)
    {
      app.numCounters = SByte.Parse(args[0]);
      if (args.Length == 2)
	app.numCounters = SByte.Parse(args[1]);
    }
    Application.Run(app);
  }
}

class TwoCounter : Panel
{
  private bool started = false;
  private Label t1;
  private Label t2;
  private Label lbl;
  private Thread t;

  private int count1 = 0, count2 = 0;
  public delegate void IncrementAccess();
  IncrementAccess del;

  public TwoCounter(IncrementAccess del)
  {
    this.del = del;
    this.Size = new Size(350, 30);
    this.BorderStyle = BorderStyle.Fixed3D;
    t1 = new Label();
    t1.Location = new Point(10, 10);
    t2 = new Label();
    t2.Location = new Point(110, 10);
    lbl = new Label();
    lbl.Location = new Point(210, 10);
    lbl.Text = "Count1 == Count2";
    Controls.AddRange(new Control[] {t1, t2, lbl} );

    t = new Thread(new ThreadStart(run));
  }

  public void Start()
  {
    if (!started)
    {
      started = true;
      t.Start();
    }
  }

  public void Stop()
  {
    t.Abort();
  }

  public void run()
  {
    while(true)
    {
      t1.Text = (++count1).ToString();
      t2.Text = (++count2).ToString();
      Thread.Sleep(500);
    }
  }

  public void synchTest()
  {
    del();
    if (count1 != count2)
      lbl.Text = "Unsynched";
  }
}

class Watcher
{
  TwoCounter[] s;

  public Watcher(TwoCounter[] s)
  {
    this.s = s;
    new Thread(new ThreadStart(run)).Start();
  }

  public void run()
  {
    while(true)
    {
      for(int i = 0; i < s.Length; i++)
	s[i].synchTest();
      Thread.Sleep(500);
    }
  }
}


-- 
"Some people will do anything for a woman in uniform" - The Doctor -
Unregenerate (Big Finish audio)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20050805/42f4123c/attachment.sig>

More information about the fedora-devel-list mailing list