search for: eat_desc

...0,1,2 are open anyway ). But execve needs one unused descriptor to work - execve will fail, not giving ld-linux.so a chance to misbehave. Section IV. Scenario 2. We may create a race condition, gambling on the number of free file table entries. First, let''s spawn 3 processes ( called eat_desc ) which will use up 256 descriptors each and sleep. Then we spawn simultaneosly another eat_desc and a program (called spawn.c ) which executes execl("/usr/bin/passwd",long_argv0,0). Of course we can utilize any other dynamically linked suid binary. Assuming that file table has 1024 entri...