On Thu, 2011-04-21 at 10:29 +0900, KOSAKI Motohiro wrote:
> And one correction.
> ------------------------------------------------------------------
> static ssize_t comm_write(struct file *file, const char __user *buf,
> size_t count, loff_t *offset)
> {
> struct inode *inode = file->f_path.dentry->d_inode;
> struct task_struct *p;
> char buffer[TASK_COMM_LEN];
>
> memset(buffer, 0, sizeof(buffer));
> if (count > sizeof(buffer) - 1)
> count = sizeof(buffer) - 1;
> if (copy_from_user(buffer, buf, count))
> return -EFAULT;
>
> p = get_proc_task(inode);
> if (!p)
> return -ESRCH;
>
> if (same_thread_group(current, p))
> set_task_comm(p, buffer);
> else
> count = -EINVAL;
> ------------------------------------------------------------------
>
> This code doesn't have proper credential check. IOW, you forgot to
> pthread_setuid_np() case.
Sorry, could you expand on this a bit? Google isn't coming up with much
for pthread_setuid_np. Can a thread actually end up with different uid
then the process it is a member of?
Or is same_thread_group not really what I think it is? What would be a
better way to check that the two threads are members of the same
process?
thanks
-john
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@xxxxxxxxxx For more info on Linux MM,
see: http://www.linux-mm.org/ .
Fight unfair telecom internet charges in Canada: sign http://stopthemeter.ca/
Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>