exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)

CVE-2009-1337 commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream. The CAP_KILL check in exit_notify() looks just wrong, kill it. Whatever logic we have to reset ->exit_signal, the malicious user can bypass it if it execs the setuid application before exiting. Signed-off-by: Oleg Nesterov <oleg@redhat.com> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: Roland McGrath <roland@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Oleg Nesterov <oleg@redhat.com> 2009-04-06 16:16:02 +0200
committer: Greg Kroah-Hartman <gregkh@suse.de> 2009-05-02 10:57:20 -0700
commit: eab3d542839412d2e7fa712d0dfcc1b90f2755ed (patch)
tree: 7a9c87846bbf1082f81c5b76c2c675025f4a3e27
parent: 1151ad37983dbd4aa58ebec866042ae762fdc83b (diff)
1 files changed, 1 insertions, 2 deletions
diff --git a/kernel/exit.c b/kernel/exit.c
index 10e393b5381..dd9bfe25471 100644
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -942,8 +942,7 @@ static void exit_notify(struct task_struct *tsk, int group_dead)
 	 */
 	if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
 	    (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
-	     tsk->self_exec_id != tsk->parent_exec_id) &&
-	    !capable(CAP_KILL))
+	     tsk->self_exec_id != tsk->parent_exec_id))
 		tsk->exit_signal = SIGCHLD;
 
 	signal = tracehook_notify_death(tsk, &cookie, group_dead);
author	Oleg Nesterov <oleg@redhat.com>	2009-04-06 16:16:02 +0200
committer	Greg Kroah-Hartman <gregkh@suse.de>	2009-05-02 10:57:20 -0700
commit	eab3d542839412d2e7fa712d0dfcc1b90f2755ed (patch)
tree	7a9c87846bbf1082f81c5b76c2c675025f4a3e27
parent	1151ad37983dbd4aa58ebec866042ae762fdc83b (diff)