| From f87d1c9559164294040e58f5e3b74a162bf7c6e8 Mon Sep 17 00:00:00 2001 |
| From: "Eric W. Biederman" <ebiederm@xmission.com> |
| Date: Sat, 16 May 2020 16:29:20 -0500 |
| Subject: exec: Move would_dump into flush_old_exec |
| |
| From: Eric W. Biederman <ebiederm@xmission.com> |
| |
| commit f87d1c9559164294040e58f5e3b74a162bf7c6e8 upstream. |
| |
| I goofed when I added mm->user_ns support to would_dump. I missed the |
| fact that in the case of binfmt_loader, binfmt_em86, binfmt_misc, and |
| binfmt_script bprm->file is reassigned. Which made the move of |
| would_dump from setup_new_exec to __do_execve_file before exec_binprm |
| incorrect as it can result in would_dump running on the script instead |
| of the interpreter of the script. |
| |
| The net result is that the code stopped making unreadable interpreters |
| undumpable. Which allows them to be ptraced and written to disk |
| without special permissions. Oops. |
| |
| The move was necessary because the call in set_new_exec was after |
| bprm->mm was no longer valid. |
| |
| To correct this mistake move the misplaced would_dump from |
| __do_execve_file into flos_old_exec, before exec_mmap is called. |
| |
| I tested and confirmed that without this fix I can attach with gdb to |
| a script with an unreadable interpreter, and with this fix I can not. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: f84df2a6f268 ("exec: Ensure mm->user_ns contains the execed files") |
| Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/exec.c | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/fs/exec.c |
| +++ b/fs/exec.c |
| @@ -1277,6 +1277,8 @@ int flush_old_exec(struct linux_binprm * |
| */ |
| set_mm_exe_file(bprm->mm, bprm->file); |
| |
| + would_dump(bprm, bprm->file); |
| + |
| /* |
| * Release all of the old mmap stuff |
| */ |
| @@ -1820,8 +1822,6 @@ static int __do_execve_file(int fd, stru |
| if (retval < 0) |
| goto out; |
| |
| - would_dump(bprm, bprm->file); |
| - |
| retval = exec_binprm(bprm); |
| if (retval < 0) |
| goto out; |