| From linux-kernel-owner+chrisw=40sous-sol.org-S1031791AbWLBU6v@vger.kernel.org Sat Dec 2 13:03:34 2006 |
| Date: Sat, 2 Dec 2006 23:58:49 +0300 |
| From: Alexey Dobriyan <adobriyan@gmail.com> |
| To: linux-kernel@vger.kernel.org |
| Subject: do_coredump() and not stopping rewrite attacks? (CVE-2006-6304) |
| |
| On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote: |
| > David Binderman compiled 2.6.19 with icc and grepped for "was set but never |
| > used". Many warnings are on |
| > http://coderock.org/kj/unused-2.6.19-fs |
| |
| Heh, the very first line: |
| fs/exec.c(1465): remark #593: variable "flag" was set but never used |
| |
| fs/exec.c: |
| 1477 /* |
| 1478 * We cannot trust fsuid as being the "true" uid of the |
| 1479 * process nor do we know its entire history. We only know it |
| 1480 * was tainted so we dump it as root in mode 2. |
| 1481 */ |
| 1482 if (mm->dumpable == 2) { /* Setuid core dump mode */ |
| 1483 flag = O_EXCL; /* Stop rewrite attacks */ |
| 1484 current->fsuid = 0; /* Dump root private */ |
| 1485 } |
| |
| And then filp_open follows with "flag" totally ignored. |
| |
| Signed-off-by: Chris Wright <chrisw@sous-sol.org> |
| --- |
| fs/exec.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- linux-2.6.19.orig/fs/exec.c |
| +++ linux-2.6.19/fs/exec.c |
| @@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_cod |
| ispipe = 1; |
| } else |
| file = filp_open(corename, |
| - O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); |
| + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, |
| + 0600); |
| if (IS_ERR(file)) |
| goto fail_unlock; |
| inode = file->f_dentry->d_inode; |