diff options
Diffstat (limited to 'tags/2.6.18-8/30005_core-dump-unreadable-PT_INTERP.patch')
-rw-r--r-- | tags/2.6.18-8/30005_core-dump-unreadable-PT_INTERP.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/tags/2.6.18-8/30005_core-dump-unreadable-PT_INTERP.patch b/tags/2.6.18-8/30005_core-dump-unreadable-PT_INTERP.patch new file mode 100644 index 0000000..33c7c4f --- /dev/null +++ b/tags/2.6.18-8/30005_core-dump-unreadable-PT_INTERP.patch @@ -0,0 +1,70 @@ +From: Alexey Dobriyan <adobriyan@openvz.org> +Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800) +Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP +X-Git-Tag: v2.6.20-rc7^0~60 +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b + +[PATCH] core-dumping unreadable binaries via PT_INTERP + +Proposed patch to fix #5 in +http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt +aka +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 + +To reproduce, do +* grab poc at the end of advisory. +* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" + where first "4096" is something equal to or greater than 4096. +* ./poc /usr/bin/sudo && ls -l + +Here I get with 2.6.20-rc5: + + -rw------- 1 ad ad 102400 2007-01-15 19:17 core + ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo + +Check for MAY_READ like binfmt_misc.c does. + +Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> +Signed-off-by: Andrew Morton <akpm@osdl.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c +index 90461f4..669dbe5 100644 +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) + retval = PTR_ERR(interpreter); + if (IS_ERR(interpreter)) + goto out_free_interp; ++ ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval != BINPRM_BUF_SIZE) { +diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c +index 6e6d456..a4d933a 100644 +--- a/fs/binfmt_elf_fdpic.c ++++ b/fs/binfmt_elf_fdpic.c +@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm, + goto error; + } + ++ /* ++ * If the binary is not readable then enforce ++ * mm->dumpable = 0 regardless of the interpreter's ++ * permissions. ++ */ ++ if (file_permission(interpreter, MAY_READ) < 0) ++ bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; ++ + retval = kernel_read(interpreter, 0, bprm->buf, + BINPRM_BUF_SIZE); + if (retval < 0) |