[PATCH] core-dumping unreadable binaries via PT_INTERP

Proposed patch to fix #5 in http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt aka http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 To reproduce, do * grab poc at the end of advisory. * add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" where first "4096" is something equal to or greater than 4096. * ./poc /usr/bin/sudo && ls -l Here I get with 2.6.20-rc5: -rw------- 1 ad ad 102400 2007-01-15 19:17 core ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo Check for MAY_READ like binfmt_misc.c does. Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Alexey Dobriyan <adobriyan@openvz.org> 2007-01-26 03:57:16 -0500
committer: Linus Torvalds <torvalds@woody.linux-foundation.org> 2007-01-26 16:51:00 -0500
commit: 1fb844961818ce94e782acf6a96b92dc2303553b (patch)
tree: f58153e0e6a21ee41761786c632f6261c30a3b8b /fs/binfmt_elf.c
parent: c20086de9319ac406f1e96ad459763c9f9965b18 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
index 90461f49e902..669dbe5b0317 100644
--- a/fs/binfmt_elf.c
+++ b/fs/binfmt_elf.c
@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
                        retval = PTR_ERR(interpreter);
                        if (IS_ERR(interpreter))
                                goto out_free_interp;
+                        /*
+                         * If the binary is not readable then enforce
+                         * mm->dumpable = 0 regardless of the interpreter's
+                         * permissions.
+                         */
+                        if (file_permission(interpreter, MAY_READ) < 0)
+                                bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
                        retval = kernel_read(interpreter, 0, bprm->buf,
                                             BINPRM_BUF_SIZE);
                        if (retval != BINPRM_BUF_SIZE) {
author	Alexey Dobriyan <adobriyan@openvz.org>	2007-01-26 03:57:16 -0500
committer	Linus Torvalds <torvalds@woody.linux-foundation.org>	2007-01-26 16:51:00 -0500
commit	1fb844961818ce94e782acf6a96b92dc2303553b (patch)
tree	f58153e0e6a21ee41761786c632f6261c30a3b8b /fs/binfmt_elf.c
parent	c20086de9319ac406f1e96ad459763c9f9965b18 (diff)

diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 90461f49e902..669dbe5b0317 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c
@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm bprm, struct pt_regs regs)
682	retval = PTR_ERR(interpreter);	682	retval = PTR_ERR(interpreter);
683	if (IS_ERR(interpreter))	683	if (IS_ERR(interpreter))
684	goto out_free_interp;	684	goto out_free_interp;
		685
		686	/*
		687	* If the binary is not readable then enforce
		688	* mm->dumpable = 0 regardless of the interpreter's
		689	* permissions.
		690	*/
		691	if (file_permission(interpreter, MAY_READ) < 0)
		692	bprm->interp_flags \|= BINPRM_FLAGS_ENFORCE_NONDUMP;
		693
685	retval = kernel_read(interpreter, 0, bprm->buf,	694	retval = kernel_read(interpreter, 0, bprm->buf,
686	BINPRM_BUF_SIZE);	695	BINPRM_BUF_SIZE);
687	if (retval != BINPRM_BUF_SIZE) {	696	if (retval != BINPRM_BUF_SIZE) {