[patch 4/4] MAP_NOZERO v2 - avoid ptrace/setuid+exec races

From: Davide Libenzi
Date: Thu Jun 28 2007 - 14:50:46 EST


It can happen that a root application doing:

setuid(newuid);
<- ptrace_attach();
exec(...);
exit(1);

is raced by an application running under "newuid" and is ptrace-attached
and its memory is peek/poke.
The patch add a new "exec uid" that is set only after the complete detach
from the old process context is done. The ptrace's may_attach() function
is also changed to check that the attacher xuid matches the attached xuid.



Signed-off-by: Davide Libenzi <davidel@xxxxxxxxxxxxxxx>


- Davide


---
fs/exec.c | 2 ++
include/linux/sched.h | 2 +-
kernel/ptrace.c | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)

Index: linux-2.6.mod/fs/exec.c
===================================================================
--- linux-2.6.mod.orig/fs/exec.c 2007-06-28 11:45:06.000000000 -0700
+++ linux-2.6.mod/fs/exec.c 2007-06-28 11:45:20.000000000 -0700
@@ -905,6 +905,8 @@
flush_signal_handlers(current, 0);
flush_old_files(current->files);

+ current->xuid = current->uid;
+
return 0;

mmap_failed:
Index: linux-2.6.mod/include/linux/sched.h
===================================================================
--- linux-2.6.mod.orig/include/linux/sched.h 2007-06-28 11:45:20.000000000 -0700
+++ linux-2.6.mod/include/linux/sched.h 2007-06-28 11:45:20.000000000 -0700
@@ -917,7 +917,7 @@
struct list_head cpu_timers[3];

/* process credentials */
- uid_t uid,euid,suid,fsuid;
+ uid_t uid,euid,suid,fsuid,xuid;
gid_t gid,egid,sgid,fsgid;
struct group_info *group_info;
kernel_cap_t cap_effective, cap_inheritable, cap_permitted;
Index: linux-2.6.mod/kernel/ptrace.c
===================================================================
--- linux-2.6.mod.orig/kernel/ptrace.c 2007-06-28 11:45:06.000000000 -0700
+++ linux-2.6.mod/kernel/ptrace.c 2007-06-28 11:45:20.000000000 -0700
@@ -135,6 +135,7 @@
return 0;
if (((current->uid != task->euid) ||
(current->uid != task->suid) ||
+ (current->xuid != task->xuid) ||
(current->uid != task->uid) ||
(current->gid != task->egid) ||
(current->gid != task->sgid) ||

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/