diff options
author | Oleg Nesterov <oleg@redhat.com> | 2009-04-06 16:16:02 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-05-02 10:24:55 -0700 |
commit | 9460a617660c1d5f3d6fdf0f6163939a67ed7f9c (patch) | |
tree | 1bc3709a1b1b35dacdcfbfc559ed02183e2c23fe /kernel/exit.c | |
parent | 5a80273150a8a1725fa70418d106eb1f2ee8fd2f (diff) |
exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)
CVE-2009-1337
commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream.
The CAP_KILL check in exit_notify() looks just wrong, kill it.
Whatever logic we have to reset ->exit_signal, the malicious user
can bypass it if it execs the setuid application before exiting.
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'kernel/exit.c')
-rw-r--r-- | kernel/exit.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/kernel/exit.c b/kernel/exit.c index 14096a11617..8715136aca4 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -938,8 +938,7 @@ static void exit_notify(struct task_struct *tsk, int group_dead) */ if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) && (tsk->parent_exec_id != tsk->real_parent->self_exec_id || - tsk->self_exec_id != tsk->parent_exec_id) && - !capable(CAP_KILL)) + tsk->self_exec_id != tsk->parent_exec_id)) tsk->exit_signal = SIGCHLD; signal = tracehook_notify_death(tsk, &cookie, group_dead); |