lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 13 Apr 2007 13:39:15 +0100 From: Alan Cox <alan@...rguk.ukuu.org.uk> To: "Christopher S. Aker" <caker@...shore.net> Cc: Andi Kleen <andi@...stfloor.org>, "Bill Rugolsky Jr." <brugolsky@...emetry-investments.com>, linux-kernel@...r.kernel.org Subject: Re: [Feature Request?] Inline compression of process core dumps > Looking at the code, it seems to me that format_corename() is appending > .pid, regardless if !core_uses_pid and corename[0]=='|', in which case > it creates an invalid path for call_usermodehelper_pipe(). > > Bug in the code, or bug in my methods? This looks somewhat better and might do the trick. Also fixes a very very obscure security corner case. If you change core pattern to start with the program name then the user can run a program called "|myevilhack" as it stands. The patch checks for "|" in the pattern not the output and doesn't nail a pid on to a piped name. Signed-off-by: Alan Cox <alan@...hat.com> diff -u --exclude-from /usr/src/exclude --new-file --recursive linux.vanilla-2.6.21-rc6-mm1/fs/exec.c linux-2.6.21-rc6-mm1/fs/exec.c --- linux.vanilla-2.6.21-rc6-mm1/fs/exec.c 2007-04-12 14:15:05.000000000 +0100 +++ linux-2.6.21-rc6-mm1/fs/exec.c 2007-04-13 13:11:20.709835952 +0100 @@ -1265,13 +1265,17 @@ * name into corename, which must have space for at least * CORENAME_MAX_SIZE bytes plus one byte for the zero terminator. */ -static void format_corename(char *corename, const char *pattern, long signr) +static int format_corename(char *corename, const char *pattern, long signr) { const char *pat_ptr = pattern; char *out_ptr = corename; char *const out_end = corename + CORENAME_MAX_SIZE; int rc; int pid_in_pattern = 0; + int ispipe = 0; + + if (*pattern == '|') + ispipe = 1; /* Repeat as long as we have more pattern to process and more output space */ @@ -1362,8 +1366,8 @@ * * If core_pattern does not include a %p (as is the default) * and core_uses_pid is set, then .%pid will be appended to - * the filename */ - if (!pid_in_pattern + * the filename. Do not do this for piped commands. */ + if (!ispipe && !pid_in_pattern && (core_uses_pid || atomic_read(¤t->mm->mm_users) != 1)) { rc = snprintf(out_ptr, out_end - out_ptr, ".%d", current->tgid); @@ -1371,8 +1375,9 @@ goto out; out_ptr += rc; } - out: +out: *out_ptr = 0; + return ispipe; } static void zap_process(struct task_struct *start) @@ -1523,16 +1528,15 @@ * uses lock_kernel() */ lock_kernel(); - format_corename(corename, core_pattern, signr); + ispipe = format_corename(corename, core_pattern, signr); unlock_kernel(); - if (corename[0] == '|') { + if (ispipe) { /* SIGPIPE can happen, but it's just never processed */ if(call_usermodehelper_pipe(corename+1, NULL, NULL, &file)) { printk(KERN_INFO "Core dump to %s pipe failed\n", corename); goto fail_unlock; } - ispipe = 1; } else file = filp_open(corename, O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag, - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists