X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=blobdiff_plain;f=fs%2Fexec.c;h=222ab1c572d884762bae366086bbe145f8e0f65b;hb=f2ab4461249df85b20930a7a57b54f39c5ae291a;hp=e56ee24370255e2ab4df9a3933ec03f0d07a2de3;hpb=f2cbb4f01936a3e4225692e03b084b78c56d386d;p=linux-2.6 diff --git a/fs/exec.c b/fs/exec.c index e56ee24370..222ab1c572 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -58,6 +58,9 @@ int core_uses_pid; char core_pattern[65] = "core"; +int suid_dumpable = 0; + +EXPORT_SYMBOL(suid_dumpable); /* The maximal length of core_pattern is also specified in sysctl.c */ static struct linux_binfmt *formats; @@ -639,6 +642,18 @@ static inline int de_thread(struct task_struct *tsk) count = 2; if (thread_group_leader(current)) count = 1; + else { + /* + * The SIGALRM timer survives the exec, but needs to point + * at us as the new group leader now. We have a race with + * a timer firing now getting the old leader, so we need to + * synchronize with any firing (by calling del_timer_sync) + * before we can safely let the old group leader die. + */ + sig->real_timer.data = (unsigned long)current; + if (del_timer_sync(&sig->real_timer)) + add_timer(&sig->real_timer); + } while (atomic_read(&sig->count) > count) { sig->group_exit_task = current; sig->notify_count = count; @@ -649,6 +664,7 @@ static inline int de_thread(struct task_struct *tsk) } sig->group_exit_task = NULL; sig->notify_count = 0; + sig->real_timer.data = (unsigned long)current; spin_unlock_irq(lock); /* @@ -675,10 +691,8 @@ static inline int de_thread(struct task_struct *tsk) proc_dentry2 = proc_pid_unhash(leader); write_lock_irq(&tasklist_lock); - if (leader->tgid != current->tgid) - BUG(); - if (current->pid == current->tgid) - BUG(); + BUG_ON(leader->tgid != current->tgid); + BUG_ON(current->pid == current->tgid); /* * An exec() starts a new thread group with the * TGID of the previous thread group. Rehash the @@ -726,8 +740,7 @@ static inline int de_thread(struct task_struct *tsk) proc_pid_flush(proc_dentry1); proc_pid_flush(proc_dentry2); - if (exit_state != EXIT_ZOMBIE) - BUG(); + BUG_ON(exit_state != EXIT_ZOMBIE); release_task(leader); } @@ -772,10 +785,8 @@ no_thread_group: kmem_cache_free(sighand_cachep, oldsighand); } - if (!thread_group_empty(current)) - BUG(); - if (!thread_group_leader(current)) - BUG(); + BUG_ON(!thread_group_empty(current)); + BUG_ON(!thread_group_leader(current)); return 0; } @@ -868,6 +879,9 @@ int flush_old_exec(struct linux_binprm * bprm) if (current->euid == current->uid && current->egid == current->gid) current->mm->dumpable = 1; + else + current->mm->dumpable = suid_dumpable; + name = bprm->filename; /* Copies the binary name from after last slash */ @@ -888,7 +902,7 @@ int flush_old_exec(struct linux_binprm * bprm) permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) || (bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) { suid_keys(current); - current->mm->dumpable = 0; + current->mm->dumpable = suid_dumpable; } /* An exec changes our domain. We are no longer part of the thread @@ -1436,6 +1450,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) struct inode * inode; struct file * file; int retval = 0; + int fsuid = current->fsuid; + int flag = 0; binfmt = current->binfmt; if (!binfmt || !binfmt->core_dump) @@ -1445,6 +1461,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) up_write(&mm->mmap_sem); goto fail; } + + /* + * We cannot trust fsuid as being the "true" uid of the + * process nor do we know its entire history. We only know it + * was tainted so we dump it as root in mode 2. + */ + if (mm->dumpable == 2) { /* Setuid core dump mode */ + flag = O_EXCL; /* Stop rewrite attacks */ + current->fsuid = 0; /* Dump root private */ + } mm->dumpable = 0; init_completion(&mm->core_done); spin_lock_irq(¤t->sighand->siglock); @@ -1470,7 +1496,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) lock_kernel(); format_corename(corename, core_pattern, signr); unlock_kernel(); - file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600); + file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600); if (IS_ERR(file)) goto fail_unlock; inode = file->f_dentry->d_inode; @@ -1495,6 +1521,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs) close_fail: filp_close(file, NULL); fail_unlock: + current->fsuid = fsuid; complete_all(&mm->core_done); fail: return retval;