diff options
author | Alexey Dobriyan <adobriyan@openvz.org> | 2007-01-26 03:57:16 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-01-26 16:51:00 -0500 |
commit | 1fb844961818ce94e782acf6a96b92dc2303553b (patch) | |
tree | f58153e0e6a21ee41761786c632f6261c30a3b8b /fs | |
parent | c20086de9319ac406f1e96ad459763c9f9965b18 (diff) |
[PATCH] core-dumping unreadable binaries via PT_INTERP
Proposed patch to fix #5 in
http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
aka
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
To reproduce, do
* grab poc at the end of advisory.
* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
where first "4096" is something equal to or greater than 4096.
* ./poc /usr/bin/sudo && ls -l
Here I get with 2.6.20-rc5:
-rw------- 1 ad ad 102400 2007-01-15 19:17 core
---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
Check for MAY_READ like binfmt_misc.c does.
Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/binfmt_elf.c | 9 | ||||
-rw-r--r-- | fs/binfmt_elf_fdpic.c | 8 |
2 files changed, 17 insertions, 0 deletions
diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c index 90461f49e902..669dbe5b0317 100644 --- a/fs/binfmt_elf.c +++ b/fs/binfmt_elf.c | |||
@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs) | |||
682 | retval = PTR_ERR(interpreter); | 682 | retval = PTR_ERR(interpreter); |
683 | if (IS_ERR(interpreter)) | 683 | if (IS_ERR(interpreter)) |
684 | goto out_free_interp; | 684 | goto out_free_interp; |
685 | |||
686 | /* | ||
687 | * If the binary is not readable then enforce | ||
688 | * mm->dumpable = 0 regardless of the interpreter's | ||
689 | * permissions. | ||
690 | */ | ||
691 | if (file_permission(interpreter, MAY_READ) < 0) | ||
692 | bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; | ||
693 | |||
685 | retval = kernel_read(interpreter, 0, bprm->buf, | 694 | retval = kernel_read(interpreter, 0, bprm->buf, |
686 | BINPRM_BUF_SIZE); | 695 | BINPRM_BUF_SIZE); |
687 | if (retval != BINPRM_BUF_SIZE) { | 696 | if (retval != BINPRM_BUF_SIZE) { |
diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c index 6e6d4568d548..a4d933a51208 100644 --- a/fs/binfmt_elf_fdpic.c +++ b/fs/binfmt_elf_fdpic.c | |||
@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm, | |||
234 | goto error; | 234 | goto error; |
235 | } | 235 | } |
236 | 236 | ||
237 | /* | ||
238 | * If the binary is not readable then enforce | ||
239 | * mm->dumpable = 0 regardless of the interpreter's | ||
240 | * permissions. | ||
241 | */ | ||
242 | if (file_permission(interpreter, MAY_READ) < 0) | ||
243 | bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP; | ||
244 | |||
237 | retval = kernel_read(interpreter, 0, bprm->buf, | 245 | retval = kernel_read(interpreter, 0, bprm->buf, |
238 | BINPRM_BUF_SIZE); | 246 | BINPRM_BUF_SIZE); |
239 | if (retval < 0) | 247 | if (retval < 0) |