linux/arch/um/drivers
Jann Horn 378c6520e7 fs/coredump: prevent fsuid=0 dumps into user-controlled directories
This commit fixes the following security hole affecting systems where
all of the following conditions are fulfilled:

 - The fs.suid_dumpable sysctl is set to 2.
 - The kernel.core_pattern sysctl's value starts with "/". (Systems
   where kernel.core_pattern starts with "|/" are not affected.)
 - Unprivileged user namespace creation is permitted. (This is
   true on Linux >=3.8, but some distributions disallow it by
   default using a distro patch.)

Under these conditions, if a program executes under secure exec rules,
causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
namespace, changes its root directory and crashes, the coredump will be
written using fsuid=0 and a path derived from kernel.core_pattern - but
this path is interpreted relative to the root directory of the process,
allowing the attacker to control where a coredump will be written with
root privileges.

To fix the security issue, always interpret core_pattern for dumps that
are written under SUID_DUMP_ROOT relative to the root directory of init.

Signed-off-by: Jann Horn <jann@thejh.net>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2016-03-22 15:36:02 -07:00
..
chan_kern.c Merge 3.9-rc3 into tty-next 2013-03-21 16:07:34 -07:00
chan_user.c um: Use tty_port in SIGWINCH handler 2013-03-11 10:08:04 +01:00
chan_user.h um: Use tty_port in SIGWINCH handler 2013-03-11 10:08:04 +01:00
chan.h um: Use tty_port in SIGWINCH handler 2013-03-11 10:08:04 +01:00
cow_sys.h
cow_user.c
cow.h
daemon_kern.c
daemon_user.c
daemon.h
fd.c
harddog_kern.c
harddog_user.c um: Do not use stdin and stdout identifiers for struct members 2015-06-25 22:42:19 +02:00
hostaudio_kern.c [um] hostaudio: don't open-code memdup_user() 2016-01-04 10:29:40 -05:00
line.c uml: Fix unsafe pid reference to foreground process group 2014-11-05 16:26:13 -08:00
line.h
Makefile
mconsole_kern.c fs/coredump: prevent fsuid=0 dumps into user-controlled directories 2016-03-22 15:36:02 -07:00
mconsole_kern.h
mconsole_user.c
mconsole.h um: Stop abusing __KERNEL__ 2015-05-31 22:05:32 +02:00
mmapper_kern.c
net_kern.c um: net: replace GFP_KERNEL with GFP_ATOMIC when spinlock is held 2015-11-06 22:51:00 +01:00
net_user.c um: fix returns without va_end 2015-12-08 22:26:00 +01:00
null.c
pcap_kern.c
pcap_user.c
pcap_user.h
port_kern.c
port_user.c
port.h
pty.c
random.c sched, cleanup, treewide: Remove set_current_state(TASK_RUNNING) after schedule() 2014-09-19 12:35:17 +02:00
slip_common.c
slip_common.h
slip_kern.c
slip_user.c um: Do not use stdin and stdout identifiers for struct members 2015-06-25 22:42:19 +02:00
slip.h
slirp_kern.c
slirp_user.c um: Do not use stdin and stdout identifiers for struct members 2015-06-25 22:42:19 +02:00
slirp.h
ssl.c um: Use tty_port_operations->destruct 2013-03-11 10:08:03 +01:00
ssl.h
stderr_console.c
stdio_console.c um: Use tty_port_operations->destruct 2013-03-11 10:08:03 +01:00
stdio_console.h
tty.c
ubd_kern.c um: Update UBD to use pread/pwrite family of functions 2016-01-10 21:49:48 +01:00
ubd_user.c um: Cleanup SIGTERM handling 2013-09-07 10:56:58 +02:00
ubd.h um: Cleanup SIGTERM handling 2013-09-07 10:56:58 +02:00
umcast_kern.c
umcast_user.c
umcast.h
vde_kern.c
vde_user.c
vde.h
xterm_kern.c
xterm.c
xterm.h