CSE4001 Spring 2004 Final Exam, open book, open notes. Name ________________ 1. Suppose file1 and file2 are files. Write UNIX commands (using any shell) to do the following: (5 pts each). Append file2 to file1. ANSWER: cat file2 >> file1 Display in sorted order (one screen at a time) all lines in file1 that contain a space character. ANSWER: grep ' ' file1 | sort | more Make file1 writable by you and read-only for everyone else. ANSWER: chmod 644 file1 Add /usr/joe to your path. ANSWER (in csh/tcsh): set path = ( $path /usr/joe ) or (in sh/ksh/bash): set PATH = $PATH:/usr/joe Change your password. ANSWER: passwd 2. Circle true or false (3 pts each). ANSWERS T The processor must be in kernel mode to set segment registers. T A disk drive may interrupt a user process before its time slice is up. T A segmentation fault will put the processor in kernel mode. F Processes owned by root always run in kernel mode. T The boot block contains code which is run when the computer is turned on F A zombie process is removed when it receives a SIGCHLD signal. T Calling sleep() may raise a process's priority. T The job of the MMU is to translate logical addresses to physical. F The job of the page daemon is to load pages into memory. T fork() sets the copy-on-write flag of a processor's pages. 3. In the following code from cook.c, fd is a client file descriptor opened to a socket connected to a remote server. Describe how a malicious server could exploit a vulnerability in the code below to execute arbitrary code on the client. Show how you would fix the program to prevent this (15 pts). readRecipe (fd) int fd; { char str[200]; while (readLine (fd, str)) printf ("%s\n", str); } readline (fd, str) int fd; char* str; { int n; do { n = read (fd,str, 1); } while (n > 0 && *str++ != NULL); return (n > 0); } ANSWER. There is a buffer overflow vulnerability in str[200]. The length of the input is not checked. A malicious server can overflow the array and overwrite the return address of readRecipe() or readline() (depending on whether the hardware stack grows upward or downward) with a pointer to the malicious code, in str itself. In either case, when the function returns, the code executes. Below is one fix. The size of str must be passed to readline() to check because this information is not in the str parameter. readRecipe (fd) int fd; { char str[200]; while (readLine (fd, str, sizeof(str))) // pass len = 200 printf ("%s\n", str); } readline (fd, str, len) int fd, len; char* str; { int n; do { n = read (fd,str, 1); } while (n > 0 && len-- > 0 && *str++ != NULL); // bounds check return (n > 0); } 4. Write a C or C++ program to run "cmp file1 file2 > /dev/null" using UNIX system calls and then print the exit status of cmp to the screen (30 pts). // ANSWER (I did not take off for missing header files) #include // C++ #include // C or C++ #include // C++ #include // C++ main() { int fd, status; if (fork()) { // parent wait(&status); printf("status = %d\n", status>>8); } else { // child fd=open("/dev/null", O_WRONLY); dup2(fd, 1); execlp("cmp", "cmp", "file1", "file2", NULL); } }