[PATCH] core-dumping unreadable binaries via PT_INTERP

[Linux Kernel Mailing List]

Gitweb:     
http://git.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=1fb844961818ce94e782acf6a96b92dc2303553b
Commit:     1fb844961818ce94e782acf6a96b92dc2303553b
Parent:     c20086de9319ac406f1e96ad459763c9f9965b18
Author:     Alexey Dobriyan <[EMAIL PROTECTED]>
AuthorDate: Fri Jan 26 00:57:16 2007 -0800
Committer:  Linus Torvalds <[EMAIL PROTECTED]>
CommitDate: Fri Jan 26 13:51:00 2007 -0800

    [PATCH] core-dumping unreadable binaries via PT_INTERP
    
    Proposed patch to fix #5 in
    http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
    aka
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
    
    To reproduce, do
    * grab poc at the end of advisory.
    * add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
      where first "4096" is something equal to or greater than 4096.
    * ./poc /usr/bin/sudo && ls -l
    
    Here I get with 2.6.20-rc5:
    
     -rw------- 1 ad   ad   102400 2007-01-15 19:17 core
     ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
    
    Check for MAY_READ like binfmt_misc.c does.
    
    Signed-off-by: Alexey Dobriyan <[EMAIL PROTECTED]>
    Signed-off-by: Andrew Morton <[EMAIL PROTECTED]>
    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
---
 fs/binfmt_elf.c       |    9 +++++++++
 fs/binfmt_elf_fdpic.c |    8 ++++++++
 2 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 90461f4..669dbe5 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, 
struct pt_regs *regs)
                        retval = PTR_ERR(interpreter);
                        if (IS_ERR(interpreter))
                                goto out_free_interp;
+
+                       /*
+                        * If the binary is not readable then enforce
+                        * mm->dumpable = 0 regardless of the interpreter's
+                        * permissions.
+                        */
+                       if (file_permission(interpreter, MAY_READ) < 0)
+                               bprm->interp_flags |= 
BINPRM_FLAGS_ENFORCE_NONDUMP;
+
                        retval = kernel_read(interpreter, 0, bprm->buf,
                                             BINPRM_BUF_SIZE);
                        if (retval != BINPRM_BUF_SIZE) {
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
index 6e6d456..a4d933a 100644
--- a/fs/binfmt_elf_fdpic.c
+++ b/fs/binfmt_elf_fdpic.c
@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
                                goto error;
                        }
 
+                       /*
+                        * If the binary is not readable then enforce
+                        * mm->dumpable = 0 regardless of the interpreter's
+                        * permissions.
+                        */
+                       if (file_permission(interpreter, MAY_READ) < 0)
+                               bprm->interp_flags |= 
BINPRM_FLAGS_ENFORCE_NONDUMP;
+
                        retval = kernel_read(interpreter, 0, bprm->buf,
                                             BINPRM_BUF_SIZE);
                        if (retval < 0)
-
To unsubscribe from this list: send the line "unsubscribe git-commits-head" in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html