1
linux/arch
Kees Cook d049f74f2d exec/ptrace: fix get_dumpable() incorrect tests
The get_dumpable() return value is not boolean.  Most users of the
function actually want to be testing for non-SUID_DUMP_USER(1) rather than
SUID_DUMP_DISABLE(0).  The SUID_DUMP_ROOT(2) is also considered a
protected state.  Almost all places did this correctly, excepting the two
places fixed in this patch.

Wrong logic:
    if (dumpable == SUID_DUMP_DISABLE) { /* be protective */ }
        or
    if (dumpable == 0) { /* be protective */ }
        or
    if (!dumpable) { /* be protective */ }

Correct logic:
    if (dumpable != SUID_DUMP_USER) { /* be protective */ }
        or
    if (dumpable != 1) { /* be protective */ }

Without this patch, if the system had set the sysctl fs/suid_dumpable=2, a
user was able to ptrace attach to processes that had dropped privileges to
that user.  (This may have been partially mitigated if Yama was enabled.)

The macros have been moved into the file that declares get/set_dumpable(),
which means things like the ia64 code can see them too.

CVE-2013-2929

Reported-by: Vasily Kulikov <segoon@openwall.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: "Luck, Tony" <tony.luck@intel.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-11-13 12:09:33 +09:00
..
alpha errno.h: remove "NFS" from descriptions in comments 2013-11-13 12:09:12 +09:00
arc DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
arm arch/arm/mach-davinci/sram.c: use gen_pool_dma_alloc() to sram.c 2013-11-13 12:09:22 +09:00
arm64 mm/arch: use NUMA_NO_NODE 2013-11-13 12:09:05 +09:00
avr32 Linux 3.12-rc4 2013-10-09 12:36:13 +02:00
blackfin Main pin control pull request for the v3.13 cycle: 2013-11-12 15:40:03 +09:00
c6x DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
cris cris: media platform drivers: fix build 2013-11-13 12:08:59 +09:00
frv
hexagon DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
ia64 exec/ptrace: fix get_dumpable() incorrect tests 2013-11-13 12:09:33 +09:00
m32r
m68k Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-11-12 10:20:12 +09:00
metag mm: use pgdat_end_pfn() to simplify the code in arch 2013-11-13 12:09:03 +09:00
microblaze mm/arch: use __free_reserved_page() to simplify the code 2013-11-13 12:09:03 +09:00
mips errno.h: remove "NFS" from descriptions in comments 2013-11-13 12:09:12 +09:00
mn10300
openrisc DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
parisc errno.h: remove "NFS" from descriptions in comments 2013-11-13 12:09:12 +09:00
powerpc mm: use pgdat_end_pfn() to simplify the code in arch 2013-11-13 12:09:03 +09:00
s390 s390/mmap: randomize mmap base for bottom up direction 2013-11-13 12:09:08 +09:00
score Linux 3.12-rc4 2013-10-09 12:36:13 +02:00
sh sh: move fpu_counter into ARCH specific thread_struct 2013-11-13 12:09:13 +09:00
sparc errno.h: remove "NFS" from descriptions in comments 2013-11-13 12:09:12 +09:00
tile Merge branch 'core/urgent' into sched/core 2013-10-11 07:39:37 +02:00
um Merge branch 'linus' into sched/core 2013-11-01 08:24:41 +01:00
unicore32
x86 x86: move fpu_counter into ARCH specific thread_struct 2013-11-13 12:09:13 +09:00
xtensa DeviceTree updates for 3.13. This is a bit larger pull request than 2013-11-12 16:52:17 +09:00
.gitignore
Kconfig Merge branch 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2013-11-12 10:36:00 +09:00