DuDu371/linux-rockchip
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
linux-rockchip/kernel
History
Kees Cook d389d610b1 exec/ptrace: fix get_dumpable() incorrect tests 
commit d049f74f2d upstream.

The get_dumpable() return value is not boolean.  Most users of the
function actually want to be testing for non-SUID_DUMP_USER(1) rather than
SUID_DUMP_DISABLE(0).  The SUID_DUMP_ROOT(2) is also considered a
protected state.  Almost all places did this correctly, excepting the two
places fixed in this patch.

Wrong logic:
    if (dumpable == SUID_DUMP_DISABLE) { /* be protective */ }
        or
    if (dumpable == 0) { /* be protective */ }
        or
    if (!dumpable) { /* be protective */ }

Correct logic:
    if (dumpable != SUID_DUMP_USER) { /* be protective */ }
        or
    if (dumpable != 1) { /* be protective */ }

Without this patch, if the system had set the sysctl fs/suid_dumpable=2, a
user was able to ptrace attach to processes that had dropped privileges to
that user.  (This may have been partially mitigated if Yama was enabled.)

The macros have been moved into the file that declares get/set_dumpable(),
which means things like the ia64 code can see them too.

CVE-2013-2929

Reported-by: Vasily Kulikov <segoon@openwall.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: "Luck, Tony" <tony.luck@intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2013-11-29 11:11:44 -08:00
..
cpu sched, idle: Fix the idle polling state logic 2013-11-29 11:11:42 -08:00
debug
events perf: Fix perf ring buffer memory ordering 2013-11-20 12:27:47 -08:00
gcov
irq genirq: Fix can_request_irq() for IRQs without an action 2013-07-21 18:21:27 -07:00
power PM / QoS: Fix workqueue deadlock when using pm_qos_update_request_timeout() 2013-08-20 08:43:05 -07:00
sched sched/fair: Fix small race where child->se.parent,cfs_rq might point to invalid ones 2013-10-01 09:17:45 -07:00
time clockevents: Sanitize ticks to nsec conversion 2013-11-13 12:05:32 +09:00
trace perf/ftrace: Fix paranoid level for enabling function tracer 2013-11-29 11:11:43 -08:00
.gitignore
acct.c
async.c
audit.c audit: fix endless wait in audit_log_start() 2013-10-01 09:17:48 -07:00
audit.h
audit_tree.c
audit_watch.c
auditfilter.c
auditsc.c
backtracetest.c
bounds.c
capability.c
cgroup.c cgroup: fix to break the while loop in cgroup_attach_task() correctly 2013-11-13 12:05:30 +09:00
cgroup_freezer.c
compat.c
configs.c
context_tracking.c
cpu.c
cpu_pm.c
cpuset.c cpuset: fix the return value of cpuset_write_u64() 2013-08-20 08:43:05 -07:00
crash_dump.c
cred.c
delayacct.c
dma.c
elfcore.c
exec_domain.c
exit.c
extable.c
fork.c pidns: fix vfork() after unshare(CLONE_NEWPID) 2013-09-26 17:18:28 -07:00
freezer.c
futex.c futex: Take hugepages into account when generating futex_key 2013-07-13 11:42:26 -07:00
futex_compat.c
groups.c
hrtimer.c hrtimers: Move SMP function call to thread context 2013-07-28 16:30:22 -07:00
hung_task.c
irq_work.c
itimer.c
jump_label.c
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kexec.c
kmod.c
kprobes.c
ksysfs.c
kthread.c
latencytop.c
lglock.c
lockdep.c
lockdep_internals.h
lockdep_proc.c
lockdep_states.h
Makefile
modsign_certificate.S
modsign_pubkey.c
module-internal.h
module.c
module_signing.c
mutex-debug.c
mutex-debug.h
mutex.c
mutex.h
notifier.c
nsproxy.c
padata.c
panic.c
params.c
pid.c pidns: Fix hang in zap_pid_ns_processes by sending a potentially extra wakeup 2013-09-26 17:18:27 -07:00
pid_namespace.c
posix-cpu-timers.c
posix-timers.c
printk.c printk: Fix rq->lock vs logbuf_lock unlock lock inversion 2013-07-25 14:07:31 -07:00
profile.c
ptrace.c exec/ptrace: fix get_dumpable() incorrect tests 2013-11-29 11:11:44 -08:00
range.c
rcu.h
rcupdate.c
rcutiny.c
rcutiny_plugin.h
rcutorture.c
rcutree.c
rcutree.h
rcutree_plugin.h
rcutree_trace.c
relay.c
res_counter.c
resource.c
rtmutex-debug.c
rtmutex-debug.h
rtmutex-tester.c
rtmutex.c
rtmutex.h
rtmutex_common.h
rwsem.c
seccomp.c
semaphore.c
signal.c
smp.c
smpboot.c
smpboot.h
softirq.c irq: Force hardirq exit's softirq processing on its own stack 2013-10-13 16:08:34 -07:00
spinlock.c
srcu.c
stacktrace.c
stop_machine.c
sys.c
sys_ni.c
sysctl.c
sysctl_binary.c
task_work.c
taskstats.c
test_kprobes.c
time.c
timeconst.bc
timer.c timer: Fix jiffies wrap behavior of round_jiffies_common() 2013-07-21 18:21:31 -07:00
tracepoint.c
tsacct.c
uid16.c
up.c
user-return-notifier.c
user.c
user_namespace.c userns: limit the maximum depth of user_namespace->parent chain 2013-08-11 18:35:25 -07:00
utsname.c
utsname_sysctl.c
wait.c
watchdog.c
workqueue.c workqueue: cond_resched() after processing each work item 2013-09-07 22:09:58 -07:00
workqueue_internal.h