summaryrefslogtreecommitdiffstats
path: root/fs/exec.c
diff options
context:
space:
mode:
Diffstat (limited to 'fs/exec.c')
-rw-r--r--fs/exec.c51
1 files changed, 39 insertions, 12 deletions
diff --git a/fs/exec.c b/fs/exec.c
index e56ee243702..222ab1c572d 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -58,6 +58,9 @@
int core_uses_pid;
char core_pattern[65] = "core";
+int suid_dumpable = 0;
+
+EXPORT_SYMBOL(suid_dumpable);
/* The maximal length of core_pattern is also specified in sysctl.c */
static struct linux_binfmt *formats;
@@ -639,6 +642,18 @@ static inline int de_thread(struct task_struct *tsk)
count = 2;
if (thread_group_leader(current))
count = 1;
+ else {
+ /*
+ * The SIGALRM timer survives the exec, but needs to point
+ * at us as the new group leader now. We have a race with
+ * a timer firing now getting the old leader, so we need to
+ * synchronize with any firing (by calling del_timer_sync)
+ * before we can safely let the old group leader die.
+ */
+ sig->real_timer.data = (unsigned long)current;
+ if (del_timer_sync(&sig->real_timer))
+ add_timer(&sig->real_timer);
+ }
while (atomic_read(&sig->count) > count) {
sig->group_exit_task = current;
sig->notify_count = count;
@@ -649,6 +664,7 @@ static inline int de_thread(struct task_struct *tsk)
}
sig->group_exit_task = NULL;
sig->notify_count = 0;
+ sig->real_timer.data = (unsigned long)current;
spin_unlock_irq(lock);
/*
@@ -675,10 +691,8 @@ static inline int de_thread(struct task_struct *tsk)
proc_dentry2 = proc_pid_unhash(leader);
write_lock_irq(&tasklist_lock);
- if (leader->tgid != current->tgid)
- BUG();
- if (current->pid == current->tgid)
- BUG();
+ BUG_ON(leader->tgid != current->tgid);
+ BUG_ON(current->pid == current->tgid);
/*
* An exec() starts a new thread group with the
* TGID of the previous thread group. Rehash the
@@ -726,8 +740,7 @@ static inline int de_thread(struct task_struct *tsk)
proc_pid_flush(proc_dentry1);
proc_pid_flush(proc_dentry2);
- if (exit_state != EXIT_ZOMBIE)
- BUG();
+ BUG_ON(exit_state != EXIT_ZOMBIE);
release_task(leader);
}
@@ -772,10 +785,8 @@ no_thread_group:
kmem_cache_free(sighand_cachep, oldsighand);
}
- if (!thread_group_empty(current))
- BUG();
- if (!thread_group_leader(current))
- BUG();
+ BUG_ON(!thread_group_empty(current));
+ BUG_ON(!thread_group_leader(current));
return 0;
}
@@ -868,6 +879,9 @@ int flush_old_exec(struct linux_binprm * bprm)
if (current->euid == current->uid && current->egid == current->gid)
current->mm->dumpable = 1;
+ else
+ current->mm->dumpable = suid_dumpable;
+
name = bprm->filename;
/* Copies the binary name from after last slash */
@@ -888,7 +902,7 @@ int flush_old_exec(struct linux_binprm * bprm)
permission(bprm->file->f_dentry->d_inode,MAY_READ, NULL) ||
(bprm->interp_flags & BINPRM_FLAGS_ENFORCE_NONDUMP)) {
suid_keys(current);
- current->mm->dumpable = 0;
+ current->mm->dumpable = suid_dumpable;
}
/* An exec changes our domain. We are no longer part of the thread
@@ -1436,6 +1450,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
struct inode * inode;
struct file * file;
int retval = 0;
+ int fsuid = current->fsuid;
+ int flag = 0;
binfmt = current->binfmt;
if (!binfmt || !binfmt->core_dump)
@@ -1445,6 +1461,16 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
up_write(&mm->mmap_sem);
goto fail;
}
+
+ /*
+ * We cannot trust fsuid as being the "true" uid of the
+ * process nor do we know its entire history. We only know it
+ * was tainted so we dump it as root in mode 2.
+ */
+ if (mm->dumpable == 2) { /* Setuid core dump mode */
+ flag = O_EXCL; /* Stop rewrite attacks */
+ current->fsuid = 0; /* Dump root private */
+ }
mm->dumpable = 0;
init_completion(&mm->core_done);
spin_lock_irq(&current->sighand->siglock);
@@ -1470,7 +1496,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
lock_kernel();
format_corename(corename, core_pattern, signr);
unlock_kernel();
- file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
+ file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, 0600);
if (IS_ERR(file))
goto fail_unlock;
inode = file->f_dentry->d_inode;
@@ -1495,6 +1521,7 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
close_fail:
filp_close(file, NULL);
fail_unlock:
+ current->fsuid = fsuid;
complete_all(&mm->core_done);
fail:
return retval;