/Date Sat, 2 Dec 2006 23:58:49 +0300 From Alexey Dobriyan <> Subject do_coredump() and not stopping rewrite attacks? Digg This On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote: > David Binderman compiled 2.6.19 with icc and grepped for "was set but never > used". Many warnings are on > http://coderock.org/kj/unused-2.6.19-fs Heh, the very first line: fs/exec.c(1465): remark #593: variable "flag" was set but never used fs/exec.c: 1477 /* 1478 * We cannot trust fsuid as being the "true" uid of the 1479 * process nor do we know its entire history. We only know it 1480 * was tainted so we dump it as root in mode 2. 1481 */ 1482 if (mm->dumpable == 2) { /* Setuid core dump mode */ 1483 flag = O_EXCL; /* Stop rewrite attacks */ 1484 current->fsuid = 0; /* Dump root private */ 1485 } And then filp_open follows with "flag" totally ignored. --- a/fs/exec.c +++ b/fs/exec.c @@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_cod ispipe = 1; } else file = filp_open(corename, - O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, + 0600); if (IS_ERR(file)) goto fail_unlock; inode = file->f_dentry->d_inode;
Removing security bit as this has been discussed on public archives.
Appears that Xen is alone on this one. Please patch or bump above 2.6.19.1.
(In reply to comment #2) > Appears that Xen is alone on this one. > > Please patch or bump above 2.6.19.1. > This bug was introduced during the 2.6.19 merge window, so xen-sources in unaffected. http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.19.y.git;a=blobdiff;f=fs/exec.c;h=6270f8f20a638195b1e1c1fc59bba00d8f4d2bd3;hp=0db3fc3c5f0fe713af2d9a515c7cfdc7670d0223;hb=d025c9db7f31fc0554ce7fb2dfc78d35a77f3487;hpb=e239ca540594cff00adcce163dc332b27015d8e5
