--- /dev/null
+From d2d56c5f51028cb9f3d800882eb6f4cbd3f9099f Mon Sep 17 00:00:00 2001
+From: Marcel Holtmann <marcel@holtmann.org>
+Date: Fri, 17 Aug 2007 21:47:58 +0200
+Subject: Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)
+
+This fixes a vulnerability in the "parent process death signal"
+implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd.
+and iSEC Security Research.
+
+http://marc.info/?l=bugtraq&m=118711306802632&w=2
+
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -890,9 +890,12 @@ int flush_old_exec(struct linux_binprm *
+ */
+ current->mm->task_size = TASK_SIZE;
+
+- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
+- file_permission(bprm->file, MAY_READ) ||
+- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
++ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
++ suid_keys(current);
++ current->mm->dumpable = suid_dumpable;
++ current->pdeath_signal = 0;
++ } else if (file_permission(bprm->file, MAY_READ) ||
++ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+ suid_keys(current);
+ current->mm->dumpable = suid_dumpable;
+ }
+@@ -983,8 +986,10 @@ void compute_creds(struct linux_binprm *
+ {
+ int unsafe;
+
+- if (bprm->e_uid != current->uid)
++ if (bprm->e_uid != current->uid) {
+ suid_keys(current);
++ current->pdeath_signal = 0;
++ }
+ exec_keys(current);
+
+ task_lock(current);
projects / thirdparty / kernel / stable-queue.git / commitdiff
