--- /dev/null
+From linux-kernel-owner+chrisw=40sous-sol.org-S1031791AbWLBU6v@vger.kernel.org Sat Dec 2 13:03:34 2006
+Date: Sat, 2 Dec 2006 23:58:49 +0300
+From: Alexey Dobriyan <adobriyan@gmail.com>
+To: linux-kernel@vger.kernel.org
+Subject: do_coredump() and not stopping rewrite attacks?
+
+On Sat, Dec 02, 2006 at 11:47:44PM +0300, Alexey Dobriyan wrote:
+> David Binderman compiled 2.6.19 with icc and grepped for "was set but never
+> used". Many warnings are on
+> http://coderock.org/kj/unused-2.6.19-fs
+
+Heh, the very first line:
+fs/exec.c(1465): remark #593: variable "flag" was set but never used
+
+fs/exec.c:
+ 1477 /*
+ 1478 * We cannot trust fsuid as being the "true" uid of the
+ 1479 * process nor do we know its entire history. We only know it
+ 1480 * was tainted so we dump it as root in mode 2.
+ 1481 */
+ 1482 if (mm->dumpable == 2) { /* Setuid core dump mode */
+ 1483 flag = O_EXCL; /* Stop rewrite attacks */
+ 1484 current->fsuid = 0; /* Dump root private */
+ 1485 }
+
+And then filp_open follows with "flag" totally ignored.
+
+Signed-off-by: Chris Wright <chrisw@sous-sol.org>
+---
+ fs/exec.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- linux-2.6.19.orig/fs/exec.c
++++ linux-2.6.19/fs/exec.c
+@@ -1515,7 +1515,8 @@ int do_coredump(long signr, int exit_cod
+ ispipe = 1;
+ } else
+ file = filp_open(corename,
+- O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
++ O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
++ 0600);
+ if (IS_ERR(file))
+ goto fail_unlock;
+ inode = file->f_dentry->d_inode;
projects / thirdparty / kernel / stable-queue.git / commitdiff
