From: Alexey Dobriyan Date: Thu, 7 Dec 2006 04:40:39 +0000 (-0800) Subject: [PATCH] do_coredump() and not stopping rewrite attacks? X-Git-Url: https://git.karo-electronics.de/?a=commitdiff_plain;h=6d4df677f8a60ea6bc0ef1a596c1a3a79b1d4882;p=linux-beck.git [PATCH] do_coredump() and not stopping rewrite attacks? On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote: > David Binderman compiled 2.6.19 with icc and grepped for "was set but never > used". Many warnings are on > http://coderock.org/kj/unused-2.6.19-fs Heh, the very first line: fs/exec.c(1465): remark #593: variable "flag" was set but never used fs/exec.c: 1477 /* 1478 * We cannot trust fsuid as being the "true" uid of the 1479 * process nor do we know its entire history. We only know it 1480 * was tainted so we dump it as root in mode 2. 1481 */ 1482 if (mm->dumpable == 2) { /* Setuid core dump mode */ 1483 flag = O_EXCL; /* Stop rewrite attacks */ 1484 current->fsuid = 0; /* Dump root private */ 1485 } And then filp_open follows with "flag" totally ignored. (akpm: this restores the code to Alan's original version. Andi's "Support piping into commands in /proc/sys/kernel/core_pattern" (cset d025c9db) broke it). Cc: Alan Cox Cc: Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- diff --git a/fs/exec.c b/fs/exec.c index 2092bd207463..add0e03c3ea9 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) ispipe = 1; } else file = filp_open(corename, - O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); + O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, + 0600); if (IS_ERR(file)) goto fail_unlock; inode = file->f_dentry->d_inode;