[patch 17/32] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304)
From: Chris Wright
Date: Fri Dec 08 2006 - 19:00:45 EST
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Alexey Dobriyan <adobriyan@xxxxxxxxx>
On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote:
> David Binderman compiled 2.6.19 with icc and grepped for "was set but never
> used". Many warnings are on
> http://coderock.org/kj/unused-2.6.19-fs
Heh, the very first line:
fs/exec.c(1465): remark #593: variable "flag" was set but never used
fs/exec.c:
1477 /*
1478 * We cannot trust fsuid as being the "true" uid of the
1479 * process nor do we know its entire history. We only know it
1480 * was tainted so we dump it as root in mode 2.
1481 */
1482 if (mm->dumpable == 2) { /* Setuid core dump mode */
1483 flag = O_EXCL; /* Stop rewrite attacks */
1484 current->fsuid = 0; /* Dump root private */
1485 }
And then filp_open follows with "flag" totally ignored.
Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
---
fs/exec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- linux-2.6.19.orig/fs/exec.c
+++ linux-2.6.19/fs/exec.c
@@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_cod
ispipe = 1;
} else
file = filp_open(corename,
- O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
+ O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
+ 0600);
if (IS_ERR(file))
goto fail_unlock;
inode = file->f_dentry->d_inode;
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/