[PATCH] core-dumping unreadable binaries via PT_INTERP (1fb84496) · Commits · 戴 / test

Proposed patch to fix #5 in http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt aka http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073 To reproduce, do * grab poc at the end of advisory. * add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;" where first "4096" is something equal to or greater than 4096. * ./poc /usr/bin/sudo && ls -l Here I get with 2.6.20-rc5: -rw------- 1 ad ad 102400 2007-01-15 19:17 core ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo Check for MAY_READ like binfmt_misc.c does. Signed-off-by:

Alexey Dobriyan <adobriyan@openvz.org> Signed-off-by:

Andrew Morton <akpm@osdl.org> Signed-off-by:

Linus Torvalds <torvalds@linux-foundation.org>

fs/binfmt_elf.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm bprm, struct pt_regs regs)
		retval = PTR_ERR(interpreter);
		if (IS_ERR(interpreter))
		goto out_free_interp;

		/*
		* If the binary is not readable then enforce
		* mm->dumpable = 0 regardless of the interpreter's
		* permissions.
		*/
		if (file_permission(interpreter, MAY_READ) < 0)
		bprm->interp_flags \|= BINPRM_FLAGS_ENFORCE_NONDUMP;

		retval = kernel_read(interpreter, 0, bprm->buf,
		BINPRM_BUF_SIZE);
		if (retval != BINPRM_BUF_SIZE) {

fs/binfmt_elf_fdpic.c

+8 −0

Original line number	Diff line number	Diff line
		@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
		goto error;
		}

		/*
		* If the binary is not readable then enforce
		* mm->dumpable = 0 regardless of the interpreter's
		* permissions.
		*/
		if (file_permission(interpreter, MAY_READ) < 0)
		bprm->interp_flags \|= BINPRM_FLAGS_ENFORCE_NONDUMP;

		retval = kernel_read(interpreter, 0, bprm->buf,
		BINPRM_BUF_SIZE);
		if (retval < 0)

Admin message