git.ipfire.org Git - thirdparty/systemd.git/commit

coredump: use %d in kernel core pattern

The kernel provides %d which is documented as
"dump mode—same as value returned by prctl(2) PR_GET_DUMPABLE".

We already query /proc/pid/auxv for this information, but unfortunately this
check is subject to a race, because the crashed process may be replaced by an
attacker before we read this data, for example replacing a SUID process that
was killed by a signal with another process that is not SUID, tricking us into
making the coredump of the original process readable by the attacker.

With this patch, we effectively add one more check to the list of conditions
that need be satisfied if we are to make the coredump accessible to the user.

Reportedy-by: Qualys Security Advisory <qsa@qualys.com>
In principle, %d might return a value other than 0, 1, or 2 in the future.
Thus, we accept those, but emit a notice.

author	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Tue, 29 Apr 2025 12:47:59 +0000 (14:47 +0200)
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
	Wed, 28 May 2025 22:10:08 +0000 (00:10 +0200)
commit	0c49e0049b7665bb7769a13ef346fef92e1ad4d6
tree	f333c8742ca7b8ad059837d69e3a19a0c9d07a31	tree \| snapshot
parent	49f1f2d4a7612bbed5211a73d11d6a94fbe3bb69	commit \| diff

man/systemd-coredump.xml		diff \| blob \| blame \| history
src/coredump/coredump.c		diff \| blob \| blame \| history
sysctl.d/50-coredump.conf.in		diff \| blob \| blame \| history
test/units/TEST-87-AUX-UTILS-VM.coredump.sh		diff \| blob \| blame \| history