diff options
| author | Alexey Dobriyan <adobriyan@gmail.com> | 2006-12-02 23:58:49 +0300 |
|---|---|---|
| committer | Chris Wright <chrisw@sous-sol.org> | 2006-12-11 11:32:39 -0800 |
| commit | a526d58e9f362189b49a3ca73315101ff0fc1dc1 (patch) | |
| tree | d1c6ed597b480b6bf99c34f25d5531f95578c7dc /fs | |
| parent | 68057dcdf944f5801af3692c63e1f193e0f1a818 (diff) | |
[PATCH] do_coredump() and not stopping rewrite attacks? (CVE-2006-6304)
On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote:
> David Binderman compiled 2.6.19 with icc and grepped for "was set but never
> used". Many warnings are on
> http://coderock.org/kj/unused-2.6.19-fs
Heh, the very first line:
fs/exec.c(1465): remark #593: variable "flag" was set but never used
fs/exec.c:
1477 /*
1478 * We cannot trust fsuid as being the "true" uid of the
1479 * process nor do we know its entire history. We only know it
1480 * was tainted so we dump it as root in mode 2.
1481 */
1482 if (mm->dumpable == 2) { /* Setuid core dump mode */
1483 flag = O_EXCL; /* Stop rewrite attacks */
1484 current->fsuid = 0; /* Dump root private */
1485 }
And then filp_open follows with "flag" totally ignored.
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/exec.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/exec.c b/fs/exec.c index d993ea1a81ae..8c01dcbec3e4 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) ispipe = 1; } else file = filp_open(corename, - O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, + 0600); if (IS_ERR(file)) goto fail_unlock; inode = file->f_dentry->d_inode; |