diff options
author | Marcel Holtmann <marcel@holtmann.org> | 2007-08-17 21:47:58 +0200 |
---|---|---|
committer | Willy Tarreau <w@1wt.eu> | 2007-08-25 17:24:22 +0200 |
commit | c1e4dd1423d04c3010cfc70db210e41c97c5fd25 (patch) | |
tree | c2f197c70c9677c18aabcc2e286013ee1017904a | |
parent | 1cf05c27a34048f768a3d9ea1410a28e71763587 (diff) | |
download | lwn-c1e4dd1423d04c3010cfc70db210e41c97c5fd25.tar.gz lwn-c1e4dd1423d04c3010cfc70db210e41c97c5fd25.zip |
[PATCH] Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)
This fixes a vulnerability in the "parent process death signal"
implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
and iSEC Security Research.
http://marc.info/?l=bugtraq&m=118711306802632&w=2
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
-rw-r--r-- | fs/exec.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/fs/exec.c b/fs/exec.c index 0f8573acb9f1..bd1ab3f460a3 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -881,9 +881,12 @@ int flush_old_exec(struct linux_binprm * bprm) */ current->mm->task_size = TASK_SIZE; - if (bprm->e_uid != current->euid || bprm->e_gid != current->egid || - file_permission(bprm->file, MAY_READ) || - (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { + if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) { + suid_keys(current); + current->mm->dumpable = suid_dumpable; + current->pdeath_signal = 0; + } else if (file_permission(bprm->file, MAY_READ) || + (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { suid_keys(current); current->mm->dumpable = suid_dumpable; } @@ -974,8 +977,10 @@ void compute_creds(struct linux_binprm *bprm) { int unsafe; - if (bprm->e_uid != current->uid) + if (bprm->e_uid != current->uid) { suid_keys(current); + current->pdeath_signal = 0; + } exec_keys(current); task_lock(current); |