SECURITY BUG: Symlink exploit in 2.6.8 ia64 build scripts

SECURITY BUG: Symlink exploit in 2.6.8 ia64 build scripts

[Dominik Vogt]

[-- Attachment #1: Type: text/plain, Size: 1335 bytes --]

The 2.6.8 kernel sources (and earlier 2.6.x versions) are
susceptible to temporary filename attacks.  In the arch/ia64
branch, there are several scripts that are vulnerable to known
temporary filename attacks:

  scripts/check-gas
  scripts/toolchain-flags
  sn/runsim

All three write to temporary files named out$$, out$$.o or tmp.$$
where $$ is replaced with the process pid.

A local attacker can use symlinks to let the build processes
overwrite any file if they are executed as root.

Exploit script:

  $ cd /tmp || exit 1
  $ for i in `seq 32767`; do ln -s owned out.$i.o; done
  $ cd <path_to_2.6.8 sources>
  $ make ARCH=ia64

should demonstrate the problem, but I can't test it as I don't
have an ia64 cross compiler.  However, I can see that, for
example, the line

   gcc -c <path>/arch/ia64/scripts/check-gas-asm.S -o /tmp/out29763.o

is executed, and if I remove the contents of check-gas-asm.S, the
symlink attack does work (i.e. the file /tmp/owned is
overwritten).

Proposed fix:

Normally, I would fix that by using the mktemp command to generate
the temporary filenames, but I'm not sure that is acceptable for
the kernel:

  umask 077
  out=`mktemp "$tmp/outXXXXXXXX.o"` || exit 1

An alternate solution might be

  umask 077
  set -C

(Please CC me)

Ciao

Dominik ^_^  ^_^

 --
Dominik Vogt, dominik.vogt@gmx.de

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]