[2 Kool 2 Be 4-Gotten]

someone should have tested it with the __WCLONE option at least once to see if it returned -EINVAL

---

if ((options == (__WCLONE|__WALL))

---

Actually it wouldn’t - the code is written to only return that value
if BOTH flags were set AND ONLY both flags were set. The bitwise
OR and the equality test results in an AND semantic.

Whether this itself makes sense (i.e. to only take the conditional if both
flags are set) or it this would tend to be something with some more
devious intent - I don’t have enough knowledge to say.

[sten]

an interesting secondary check would be to look for any code out there that would make the call with both of those options set. see if something was checked in somewhere... and maybe follow from there

[cynwoody]

Whether this itself makes sense (i.e. to only take the conditional if both flags are set) or it this would tend to be something with some more devious intent - I don’t have enough knowledge to say.

C short-circuit evaluates conditionals. That means, if the first term of an ANDed pair of terms is false, the second term is never evaluated.

So, in this case, the term (options == (__WCLONE|__WALL) is acting as an "open sesame" incantation. You have to know about it in order to open the backdoor. Unless the options check evaluates to true, the (current->uid = 0) is simply skipped. If the options check does evaluate true, then the uid gets set to zero (root), and the number zero is evaluated as a boolean, resulting in a value of false. Thus, in neither case does retval = -EINAL; take place.