1
linux/fs
Hugh Dickins 7c2c7d9930 fix setuid sometimes wouldn't
check_unsafe_exec() also notes whether the fs_struct is being
shared by more threads than will get killed by the exec, and if so
sets LSM_UNSAFE_SHARE to make bprm_set_creds() careful about euid.
But /proc/<pid>/cwd and /proc/<pid>/root lookups make transient
use of get_fs_struct(), which also raises that sharing count.

This might occasionally cause a setuid program not to change euid,
in the same way as happened with files->count (check_unsafe_exec
also looks at sighand->count, but /proc doesn't raise that one).

We'd prefer exec not to unshare fs_struct: so fix this in procfs,
replacing get_fs_struct() by get_fs_path(), which does path_get
while still holding task_lock, instead of raising fs->count.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: stable@kernel.org
___

 fs/proc/base.c |   50 +++++++++++++++--------------------------------
 1 file changed, 16 insertions(+), 34 deletions(-)
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2009-03-28 17:30:00 -07:00
..
9p vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
adfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
affs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
afs constify dentry_operations: AFS 2009-03-27 14:44:00 -04:00
autofs constify dentry_operations: autofs, autofs4 2009-03-27 14:44:00 -04:00
autofs4 constify dentry_operations: autofs, autofs4 2009-03-27 14:44:00 -04:00
befs fs/Kconfig: move befs out 2009-01-22 13:15:57 +03:00
bfs fs/Kconfig: move bfs out 2009-01-22 13:15:57 +03:00
btrfs btrfs: get rid of current_is_pdflush() in btrfs_btree_balance_dirty 2009-03-26 11:01:35 +01:00
cifs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
coda constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
configfs constify dentry_operations: configfs 2009-03-27 14:44:03 -04:00
cramfs fs/Kconfig: move cramfs out 2009-01-22 13:15:58 +03:00
debugfs
devpts Merge code for single and multiple-instance mounts 2009-03-27 14:44:04 -04:00
dlm dlm: fix length calculation in compat code 2009-03-11 12:23:59 -05:00
ecryptfs constify dentry_operations: ecryptfs 2009-03-27 14:44:01 -04:00
efs fs/Kconfig: move efs out 2009-01-22 13:15:57 +03:00
exportfs
ext2 ext2: Zero our b_size in ext2_quota_read() 2009-03-26 02:18:38 +01:00
ext3 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
ext4 ext4: Use lowercase names of quota functions 2009-03-26 02:18:36 +01:00
fat constify dentry_operations: FAT 2009-03-27 14:44:01 -04:00
freevxfs fs/Kconfig: move vxfs out 2009-01-22 13:15:58 +03:00
fuse constify dentry_operations: FUSE 2009-03-27 14:44:01 -04:00
gfs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
hfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hfsplus constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hostfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hpfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hppfs
hugetlbfs Do not account for the address space used by hugetlbfs using VM_ACCOUNT 2009-02-10 10:48:42 -08:00
isofs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
jbd jbd: fix return value of journal_start_commit() 2009-02-11 14:25:35 -08:00
jbd2 jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate() 2009-02-10 11:15:34 -05:00
jffs2 [JFFS2] fix mount crash caused by removed nodes 2009-02-21 11:09:29 +01:00
jfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
lockd NLM: Fix GRANT callback address comparison when IPv6 is enabled 2009-03-10 20:33:20 -04:00
minix Update my email address 2009-03-22 11:28:37 -07:00
ncpfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
nfs constify dentry_operations: NFS 2009-03-27 14:43:59 -04:00
nfs_common
nfsd Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
nls
notify fs: avoid I_NEW inodes 2009-03-27 14:44:05 -04:00
ntfs fs/Kconfig: move ntfs out 2009-01-22 13:15:55 +03:00
ocfs2 constify dentry_operations: OCFS2 2009-03-27 14:44:02 -04:00
omfs fs/Kconfig: move omfs out 2009-01-22 13:15:58 +03:00
openpromfs
partitions Merge branch 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6 2009-03-26 16:04:22 -07:00
proc fix setuid sometimes wouldn't 2009-03-28 17:30:00 -07:00
qnx4 fs/Kconfig: move qnx4 out 2009-01-22 13:15:59 +03:00
quota Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
ramfs ramfs: Remove quota call 2009-03-26 02:18:35 +01:00
reiserfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
romfs fs/Kconfig: move romfs out 2009-01-22 13:15:59 +03:00
smbfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
squashfs Squashfs: Valid filesystems are flagged as bad by the corrupted fs patch 2009-03-12 03:23:48 +00:00
sysfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
sysv constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
ubifs vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
udf udf: Use lowercase names of quota functions 2009-03-26 02:18:36 +01:00
ufs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
xfs xfs: only issues a cache flush on unmount if barriers are enabled 2009-03-06 17:35:12 -06:00
aio.c aio: lookup_ioctx can return the wrong value when looking up a bogus context 2009-03-19 15:57:18 -07:00
anon_inodes.c constify dentry_operations: rest 2009-03-27 14:44:03 -04:00
attr.c vfs: Use lowercase names of quota functions 2009-03-26 02:18:35 +01:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c elf core dump: fix get_user use 2009-02-06 17:34:07 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c block: add private bio_set for bio integrity allocations 2009-03-24 12:35:17 +01:00
bio.c block: add private bio_set for bio integrity allocations 2009-03-24 12:35:17 +01:00
block_dev.c fs: move bdev code out of buffer.c 2009-03-27 14:44:03 -04:00
buffer.c fs: move bdev code out of buffer.c 2009-03-27 14:44:03 -04:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-03-01 21:35:16 -08:00
compat.c fix setuid sometimes doesn't 2009-03-28 17:30:00 -07:00
dcache.c cleanup d_add_ci 2009-03-27 14:43:57 -04:00
dcookies.c [CVE-2009-0029] System call wrapper special cases 2009-01-14 14:15:18 +01:00
direct-io.c
drop_caches.c fs: avoid I_NEW inodes 2009-03-27 14:44:05 -04:00
eventfd.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
eventpoll.c Rename struct file->f_ep_lock 2009-03-16 08:32:27 -06:00
exec.c fix setuid sometimes doesn't 2009-03-28 17:30:00 -07:00
fcntl.c Rationalize fasync return values 2009-03-16 08:34:35 -06:00
fifo.c
file_table.c Merge branch 'bkl-removal' of git://git.lwn.net/linux-2.6 2009-03-26 16:14:02 -07:00
file.c
filesystems.c [CVE-2009-0029] System call wrappers part 27 2009-01-14 14:15:29 +01:00
fs-writeback.c fs: new inode i_state corruption fix 2009-03-12 16:20:24 -07:00
generic_acl.c
inode.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
internal.h fix setuid sometimes doesn't 2009-03-28 17:30:00 -07:00
ioctl.c Rationalize fasync return values 2009-03-16 08:34:35 -06:00
ioprio.c [CVE-2009-0029] System call wrappers part 28 2009-01-14 14:15:30 +01:00
Kconfig quota: Move quota files into separate directory 2009-03-26 02:18:35 +01:00
Kconfig.binfmt CORE_DUMP_DEFAULT_ELF_HEADERS depends on ELF_CORE 2009-01-09 16:54:41 -08:00
libfs.c vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
locks.c [CVE-2009-0029] System call wrappers part 16 2009-01-14 14:15:25 +01:00
Makefile quota: Move quota files into separate directory 2009-03-26 02:18:35 +01:00
mbcache.c
mpage.c
namei.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
namespace.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
nfsctl.c [CVE-2009-0029] System call wrappers part 27 2009-01-14 14:15:29 +01:00
no-block.c
open.c vfs: Use lowercase names of quota functions 2009-03-26 02:18:35 +01:00
pipe.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
pnode.c
pnode.h
posix_acl.c
read_write.c [CVE-2009-0029] System call wrappers part 20 2009-01-14 14:15:26 +01:00
read_write.h
readdir.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
select.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
seq_file.c seq_file: properly cope with pread 2009-02-18 15:37:53 -08:00
signalfd.c [CVE-2009-0029] System call wrappers part 31 2009-01-14 14:15:31 +01:00
splice.c [CVE-2009-0029] System call wrappers part 31 2009-01-14 14:15:31 +01:00
stack.c
stat.c [CVE-2009-0029] System call wrappers part 30 2009-01-14 14:15:30 +01:00
super.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
sync.c Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
timerfd.c timerfd: add flags check 2009-02-18 15:37:53 -08:00
utimes.c [CVE-2009-0029] System call wrappers part 30 2009-01-14 14:15:30 +01:00
xattr_acl.c
xattr.c [CVE-2009-0029] System call wrappers part 13 2009-01-14 14:15:23 +01:00