378c6520e7
This commit fixes the following security hole affecting systems where all of the following conditions are fulfilled: - The fs.suid_dumpable sysctl is set to 2. - The kernel.core_pattern sysctl's value starts with "/". (Systems where kernel.core_pattern starts with "|/" are not affected.) - Unprivileged user namespace creation is permitted. (This is true on Linux >=3.8, but some distributions disallow it by default using a distro patch.) Under these conditions, if a program executes under secure exec rules, causing it to run with the SUID_DUMP_ROOT flag, then unshares its user namespace, changes its root directory and crashes, the coredump will be written using fsuid=0 and a path derived from kernel.core_pattern - but this path is interpreted relative to the root directory of the process, allowing the attacker to control where a coredump will be written with root privileges. To fix the security issue, always interpret core_pattern for dumps that are written under SUID_DUMP_ROOT relative to the root directory of init. Signed-off-by: Jann Horn <jann@thejh.net> Acked-by: Kees Cook <keescook@chromium.org> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Andy Lutomirski <luto@kernel.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
---|---|---|
.. | ||
chan_kern.c | ||
chan_user.c | ||
chan_user.h | ||
chan.h | ||
cow_sys.h | ||
cow_user.c | ||
cow.h | ||
daemon_kern.c | ||
daemon_user.c | ||
daemon.h | ||
fd.c | ||
harddog_kern.c | ||
harddog_user.c | ||
hostaudio_kern.c | ||
line.c | ||
line.h | ||
Makefile | ||
mconsole_kern.c | ||
mconsole_kern.h | ||
mconsole_user.c | ||
mconsole.h | ||
mmapper_kern.c | ||
net_kern.c | ||
net_user.c | ||
null.c | ||
pcap_kern.c | ||
pcap_user.c | ||
pcap_user.h | ||
port_kern.c | ||
port_user.c | ||
port.h | ||
pty.c | ||
random.c | ||
slip_common.c | ||
slip_common.h | ||
slip_kern.c | ||
slip_user.c | ||
slip.h | ||
slirp_kern.c | ||
slirp_user.c | ||
slirp.h | ||
ssl.c | ||
ssl.h | ||
stderr_console.c | ||
stdio_console.c | ||
stdio_console.h | ||
tty.c | ||
ubd_kern.c | ||
ubd_user.c | ||
ubd.h | ||
umcast_kern.c | ||
umcast_user.c | ||
umcast.h | ||
vde_kern.c | ||
vde_user.c | ||
vde.h | ||
xterm_kern.c | ||
xterm.c | ||
xterm.h |