pete@ohm.york.ac.uk (-Pete French.) (05/21/91)
here is a partial fix for the TIOCSTI problem (which works wonderfully on
the MIPS sysv libraries (but not the BSD ones !)). It patches the library
and as such is not a lot of good since people could get round it by
writing machine code to perform the ioctl directly... but it stops
casual C programmers from exploiting the bug.
The new ioctl.o is made from a c file compiled to a .s which is then
patched to include machine code to perform the ioctl. We dont have source
here so the code was written with reference to a dissassembly of the
original ioctl.o. The new ioctl.o replaces the ioctl.o in all the old
sysv libraries. The makefile patches /usr/lib/libc.a and /usr/lib/libc_G0.a
-bat.
-------------------------------------------------------------------------
#! /bin/sh
# This is a shell archive. Remove anything before this line, then unpack
# it by saving it into a file and typing "sh file". To overwrite existing
# files, type "sh file -c". You can also feed this as standard input via
# unshar, or by typing "sh <file", e.g.. If this archive is complete, you
# will see the following message at the end:
# "End of shell archive."
# Contents: Makefile ioctl.c ioctl.cdif
# Wrapped by pete@glenlivet on Mon May 20 18:25:48 1991
PATH=/bin:/usr/bin:/usr/ucb ; export PATH
if test -f 'Makefile' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'Makefile'\"
else
echo shar: Extracting \"'Makefile'\" \(288 characters\)
sed "s/^X//" >'Makefile' <<'END_OF_FILE'
X#Makefile for the new ioctl: -Pete French.
X
Xioctl.o : ioctl.c
X cc -O -S ioctl.c
X patch ioctl.s < ioctl.cdif
X cc -c -O ioctl.s -o ioctl.o
X rm -f ioctl.s*
X
Xinstall : ioctl.o
X ar rv /usr/lib/libc.a ioctl.o
X ar rv /usr/lib/libc_G0.a ioctl.o
X ranlib /usr/lib/libc.a
X ranlib /usr/lib/libc_G0.a
END_OF_FILE
if test 288 -ne `wc -c <'Makefile'`; then
echo shar: \"'Makefile'\" unpacked with wrong size!
fi
# end of 'Makefile'
fi
if test -f 'ioctl.c' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'ioctl.c'\"
else
echo shar: Extracting \"'ioctl.c'\" \(911 characters\)
sed "s/^X//" >'ioctl.c' <<'END_OF_FILE'
X/*
X * new ioctl.c - this is a fix for a bug in TIOCSTI. This
X * call should oly be available to root. The new verison
X * of the call performs the necessary check before allowing
X * the system call to take place. This file is used in
X * conjunction with patch to insert a machine code segment
X * to perform the actual ioctl. The machine code segment was
X * written from a disassembly of the MIPS ioctl.o in the SYSV
X * libc.a since we dont have source code. I know its not
X * perfect - but it partially solves the problem.
X *
X * -Pete French. 20/5/91
X */
X
X
X#include <sys/types.h>
X#include <sys/ioctl.h>
X
Xstatic char *ems="Security violation!\n";
X
Xioctl(d, request, argp)
Xint d;
Xunsigned long request;
Xchar *argp;
X{
Xif((request != TIOCSTI) || (geteuid() == (uid_t)0))
X ___(d,request, argp);
Xelse
X {
X write(2,ems,strlen(ems));
X exit(-1);
X }
X}
X
X___(d, request, argp)
Xint d;
Xunsigned long request;
Xchar *argp;
X{
X}
END_OF_FILE
if test 911 -ne `wc -c <'ioctl.c'`; then
echo shar: \"'ioctl.c'\" unpacked with wrong size!
fi
# end of 'ioctl.c'
fi
if test -f 'ioctl.cdif' -a "${1}" != "-c" ; then
echo shar: Will not clobber existing file \"'ioctl.cdif'\"
else
echo shar: Extracting \"'ioctl.cdif'\" \(554 characters\)
sed "s/^X//" >'ioctl.cdif' <<'END_OF_FILE'
X*** ioctl.s.old Mon May 20 18:06:11 1991
X--- ioctl.s Mon May 20 18:07:50 1991
X***************
X*** 70,76 ****
X .text
X .align 2
X .file 2 "ioctl.c"
X- .globl ___
X .loc 2 39
X # 34
X # 35 ___(d, request, argp)
X--- 70,75 ----
X***************
X*** 81,91 ****
X .ent ___ 2
X ___:
X .option O2
X! .frame $sp, 0, $31
X! sw $4, 0($sp)
X! sw $5, 4($sp)
X! sw $6, 8($sp)
X! .loc 2 40
X! # 40 }
X j $31
X .end ___
X--- 80,89 ----
X .ent ___ 2
X ___:
X .option O2
X! li $2,1054
X! syscall
X! beq $7,$0,L1io
X! j _cerror
X! L1io:
X j $31
X .end ___
END_OF_FILE
if test 554 -ne `wc -c <'ioctl.cdif'`; then
echo shar: \"'ioctl.cdif'\" unpacked with wrong size!
fi
# end of 'ioctl.cdif'
fi
echo shar: End of shell archive.
exit 0
--
-Pete French. (the -bat. ) / "Two wrongs don't make a right,
Adaptive Systems Engineering / - but three lefts do !"