commit ccfef64621ef1e8c7726581b38eb8b98fd2a8afb · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6:
CRED: Fix SUID exec regression

Linus Torvalds 17 years ago ccfef646 ae1a25da

+24 -8

3 changed files

expand all

unified split

compat.c

exec.c

internal.h

+1 -1

fs/compat.c

··· 1407 bprm->cred = prepare_exec_creds(); 1408 if (!bprm->cred) 1409 goto out_unlock; 1410 - check_unsafe_exec(bprm); 1411 1412 file = open_exec(filename); 1413 retval = PTR_ERR(file);

··· 1407 bprm->cred = prepare_exec_creds(); 1408 if (!bprm->cred) 1409 goto out_unlock; 1410 + check_unsafe_exec(bprm, current->files); 1411 1412 file = open_exec(filename); 1413 retval = PTR_ERR(file);

+22 -6

fs/exec.c

··· 1049 * - the caller must hold current->cred_exec_mutex to protect against 1050 * PTRACE_ATTACH 1051 */ 1052 - void check_unsafe_exec(struct linux_binprm *bprm) 1053 { 1054 - struct task_struct *p = current; 1055 1056 bprm->unsafe = tracehook_unsafe_exec(p); 1057 1058 - if (atomic_read(&p->fs->count) > 1 || 1059 - atomic_read(&p->files->count) > 1 || 1060 - atomic_read(&p->sighand->count) > 1) 1061 bprm->unsafe |= LSM_UNSAFE_SHARE; 1062 } 1063 1064 /* ··· 1289 bprm->cred = prepare_exec_creds(); 1290 if (!bprm->cred) 1291 goto out_unlock; 1292 - check_unsafe_exec(bprm); 1293 1294 file = open_exec(filename); 1295 retval = PTR_ERR(file);

··· 1049 * - the caller must hold current->cred_exec_mutex to protect against 1050 * PTRACE_ATTACH 1051 */ 1052 + void check_unsafe_exec(struct linux_binprm *bprm, struct files_struct *files) 1053 { 1054 + struct task_struct *p = current, *t; 1055 + unsigned long flags; 1056 + unsigned n_fs, n_files, n_sighand; 1057 1058 bprm->unsafe = tracehook_unsafe_exec(p); 1059 1060 + n_fs = 1; 1061 + n_files = 1; 1062 + n_sighand = 1; 1063 + lock_task_sighand(p, &flags); 1064 + for (t = next_thread(p); t != p; t = next_thread(t)) { 1065 + if (t->fs == p->fs) 1066 + n_fs++; 1067 + if (t->files == files) 1068 + n_files++; 1069 + n_sighand++; 1070 + } 1071 + 1072 + if (atomic_read(&p->fs->count) > n_fs || 1073 + atomic_read(&p->files->count) > n_files || 1074 + atomic_read(&p->sighand->count) > n_sighand) 1075 bprm->unsafe |= LSM_UNSAFE_SHARE; 1076 + 1077 + unlock_task_sighand(p, &flags); 1078 } 1079 1080 /* ··· 1273 bprm->cred = prepare_exec_creds(); 1274 if (!bprm->cred) 1275 goto out_unlock; 1276 + check_unsafe_exec(bprm, displaced); 1277 1278 file = open_exec(filename); 1279 retval = PTR_ERR(file);

+1 -1

fs/internal.h

··· 43 /* 44 * exec.c 45 */ 46 - extern void check_unsafe_exec(struct linux_binprm *); 47 48 /* 49 * namespace.c

··· 43 /* 44 * exec.c 45 */ 46 + extern void check_unsafe_exec(struct linux_binprm *, struct files_struct *); 47 48 /* 49 * namespace.c