Google Git
Sign in
kernel / pub / scm / linux / kernel / git / horms / ipvs-next / c27a3393808acab7243da7455c713fe763ea2627^! / .
commitc27a3393808acab7243da7455c713fe763ea2627[log] [tgz]
authorMarcel Holtmann <marcel@holtmann.org>Fri Aug 17 21:47:58 2007 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>Mon Aug 20 21:32:42 2007 -0700
treebd333799dc8b4d4376bfa02c89b0384be167d38b
parent99b656830d8d41f5e0a380b10a70b1f1844a15ef [diff]
Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)

This fixes a vulnerability in the "parent process death signal"
implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
and iSEC Security Research.

http://marc.info/?l=bugtraq&m=118711306802632&w=2

Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>


diff --git a/fs/exec.c b/fs/exec.c
index f20561f..9a93770 100644
--- a/fs/exec.c
+++ b/fs/exec.c

@@ -890,9 +890,12 @@
 	 */
 	current->mm->task_size = TASK_SIZE;
 
-	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || 
-	    file_permission(bprm->file, MAY_READ) ||
-	    (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+	if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+		suid_keys(current);
+		current->mm->dumpable = suid_dumpable;
+		current->pdeath_signal = 0;
+	} else if (file_permission(bprm->file, MAY_READ) ||
+			(bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
 		suid_keys(current);
 		current->mm->dumpable = suid_dumpable;
 	}
@@ -983,8 +986,10 @@
 {
 	int unsafe;
 
-	if (bprm->e_uid != current->uid)
+	if (bprm->e_uid != current->uid) {
 		suid_keys(current);
+		current->pdeath_signal = 0;
+	}
 	exec_keys(current);
 
 	task_lock(current);