[kernel] r8421 - in dists/etch-security/linux-2.6/debian: . patches/bugfix patches/series

Dann Frazier dannf at alioth.debian.org
Wed Apr 4 07:42:17 UTC 2007 

Author: dannf
Date: Wed Apr  4 07:42:17 2007
New Revision: 8421

Added:
   dists/etch-security/linux-2.6/debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch
Modified:
   dists/etch-security/linux-2.6/debian/changelog
   dists/etch-security/linux-2.6/debian/patches/series/12etch1
Log:
* bugfix/core-dump-unreadable-PT_INTERP.patch
  [SECURITY] Fix a vulnerability that allows local users to read
  otherwise unreadable (but executable) files by triggering a core dump.
  See CVE-2007-0958

Modified: dists/etch-security/linux-2.6/debian/changelog
==============================================================================
--- dists/etch-security/linux-2.6/debian/changelog	(original)
+++ dists/etch-security/linux-2.6/debian/changelog	Wed Apr  4 07:42:17 2007
@@ -5,8 +5,12 @@
     incorrectly promoted return values in bad_inode_ops
     This patch changes the kernel ABI.
     See CVE-2006-5753
+  * bugfix/core-dump-unreadable-PT_INTERP.patch
+    [SECURITY] Fix a vulnerability that allows local users to read
+    otherwise unreadable (but executable) files by triggering a core dump.
+    See CVE-2007-0958
 
- -- dann frazier <dannf at debian.org>  Mon, 26 Mar 2007 14:46:25 -0600
+ -- dann frazier <dannf at debian.org>  Wed, 04 Apr 2007 01:38:23 -0600
 
 linux-2.6 (2.6.18.dfsg.1-12) unstable; urgency=low
 

Added: dists/etch-security/linux-2.6/debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch
==============================================================================
--- (empty file)
+++ dists/etch-security/linux-2.6/debian/patches/bugfix/core-dump-unreadable-PT_INTERP.patch	Wed Apr  4 07:42:17 2007
@@ -0,0 +1,70 @@
+From: Alexey Dobriyan <adobriyan at openvz.org>
+Date: Fri, 26 Jan 2007 08:57:16 +0000 (-0800)
+Subject: [PATCH] core-dumping unreadable binaries via PT_INTERP
+X-Git-Tag: v2.6.20-rc7^0~60
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=1fb844961818ce94e782acf6a96b92dc2303553b
+
+[PATCH] core-dumping unreadable binaries via PT_INTERP
+
+Proposed patch to fix #5 in
+http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
+aka
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073
+
+To reproduce, do
+* grab poc at the end of advisory.
+* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
+  where first "4096" is something equal to or greater than 4096.
+* ./poc /usr/bin/sudo && ls -l
+
+Here I get with 2.6.20-rc5:
+
+ -rw------- 1 ad   ad   102400 2007-01-15 19:17 core
+ ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo
+
+Check for MAY_READ like binfmt_misc.c does.
+
+Signed-off-by: Alexey Dobriyan <adobriyan at openvz.org>
+Signed-off-by: Andrew Morton <akpm at osdl.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+
+diff --git a/fs/binfmt_elf.c b/fs/binfmt_elf.c
+index 90461f4..669dbe5 100644
+--- a/fs/binfmt_elf.c
++++ b/fs/binfmt_elf.c
+@@ -682,6 +682,15 @@ static int load_elf_binary(struct linux_binprm *bprm, struct pt_regs *regs)
+ 			retval = PTR_ERR(interpreter);
+ 			if (IS_ERR(interpreter))
+ 				goto out_free_interp;
++
++			/*
++			 * If the binary is not readable then enforce
++			 * mm->dumpable = 0 regardless of the interpreter's
++			 * permissions.
++			 */
++			if (file_permission(interpreter, MAY_READ) < 0)
++				bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ 			retval = kernel_read(interpreter, 0, bprm->buf,
+ 					     BINPRM_BUF_SIZE);
+ 			if (retval != BINPRM_BUF_SIZE) {
+diff --git a/fs/binfmt_elf_fdpic.c b/fs/binfmt_elf_fdpic.c
+index 6e6d456..a4d933a 100644
+--- a/fs/binfmt_elf_fdpic.c
++++ b/fs/binfmt_elf_fdpic.c
+@@ -234,6 +234,14 @@ static int load_elf_fdpic_binary(struct linux_binprm *bprm,
+ 				goto error;
+ 			}
+ 
++			/*
++			 * If the binary is not readable then enforce
++			 * mm->dumpable = 0 regardless of the interpreter's
++			 * permissions.
++			 */
++			if (file_permission(interpreter, MAY_READ) < 0)
++				bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
++
+ 			retval = kernel_read(interpreter, 0, bprm->buf,
+ 					     BINPRM_BUF_SIZE);
+ 			if (retval < 0)

Modified: dists/etch-security/linux-2.6/debian/patches/series/12etch1
==============================================================================
--- dists/etch-security/linux-2.6/debian/patches/series/12etch1	(original)
+++ dists/etch-security/linux-2.6/debian/patches/series/12etch1	Wed Apr  4 07:42:17 2007
@@ -1 +1,2 @@
 + bugfix/listxattr-mem-corruption.patch
++ bugfix/core-dump-unreadable-PT_INTERP.patch

More information about the Kernel-svn-changes mailing list