aboutsummaryrefslogtreecommitdiff
path: root/fs/exec.c
diff options
context:
space:
mode:
authorMarcel Holtmann <marcel@holtmann.org>2007-08-17 21:47:58 +0200
committerWilly Tarreau <w@1wt.eu>2007-08-25 17:24:22 +0200
commitc1e4dd1423d04c3010cfc70db210e41c97c5fd25 (patch)
treec2f197c70c9677c18aabcc2e286013ee1017904a /fs/exec.c
parent1cf05c27a34048f768a3d9ea1410a28e71763587 (diff)
[PATCH] Reset current->pdeath_signal on SUID binary execution (CVE-2007-3848)
This fixes a vulnerability in the "parent process death signal" implementation discoverd by Wojciech Purczynski of COSEINC PTE Ltd. and iSEC Security Research. http://marc.info/?l=bugtraq&m=118711306802632&w=2 Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: Willy Tarreau <w@1wt.eu>
Diffstat (limited to 'fs/exec.c')
-rw-r--r--fs/exec.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/fs/exec.c b/fs/exec.c
index 0f8573acb9f..bd1ab3f460a 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -881,9 +881,12 @@ int flush_old_exec(struct linux_binprm * bprm)
*/
current->mm->task_size = TASK_SIZE;
- if (bprm->e_uid != current->euid || bprm->e_gid != current->egid ||
- file_permission(bprm->file, MAY_READ) ||
- (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
+ if (bprm->e_uid != current->euid || bprm->e_gid != current->egid) {
+ suid_keys(current);
+ current->mm->dumpable = suid_dumpable;
+ current->pdeath_signal = 0;
+ } else if (file_permission(bprm->file, MAY_READ) ||
+ (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
suid_keys(current);
current->mm->dumpable = suid_dumpable;
}
@@ -974,8 +977,10 @@ void compute_creds(struct linux_binprm *bprm)
{
int unsafe;
- if (bprm->e_uid != current->uid)
+ if (bprm->e_uid != current->uid) {
suid_keys(current);
+ current->pdeath_signal = 0;
+ }
exec_keys(current);
task_lock(current);