From: Marcel Holtmann <marcel@holtmann.org>
To: Linus Torvalds <torvalds@osdl.org>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>, Eugene Teo <eteo@redhat.com>
Subject: Require mmap handler for a.out executables
Date: Wed, 26 Jul 2006 12:31:21 +0200 [thread overview]
Message-ID: <1153909881.746.39.camel@localhost> (raw)
[-- Attachment #1: Type: text/plain, Size: 519 bytes --]
Hi Linus,
with the nasty /proc privilege escalation (CVE-2006-3626) it became
clear that we need to do something more to better protect us against
people exploiting stuff in /proc. Besides the don't allow chmod stuff,
Eugene also proposed to depend the a.out execution on the existence of
the mmap handler. Since we are doing the same for ELF, this makes
totally sense to me.
The attached patch implements the additional check for the mmap handler
and I hope you consider it for upstream inclusion.
Regards
Marcel
[-- Attachment #2: patch --]
[-- Type: text/plain, Size: 1448 bytes --]
[PATCH] Require mmap handler for a.out executables
Files supported by fs/proc/base.c, i.e. /proc/<pid>/*, are not capable
of meeting the validity checks in ELF load_elf_*() handling because they
have no mmap handler which is required by ELF. In order to stop a.out
executables being used as part of an exploit attack against /proc-related
vulnerabilities, we make a.out executables depend on ->mmap() existing.
Signed-off-by: Eugene Teo <eteo@redhat.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
---
commit 1597cf8405734e4747c808bb7e04115a6670dccf
tree 49050549aee6406dab0c021c5aa4e9bfc337bd8f
parent 44eb123126d289bac398cac0232309c228386671
author Marcel Holtmann <marcel@holtmann.org> Wed, 26 Jul 2006 12:12:14 +0200
committer Marcel Holtmann <marcel@holtmann.org> Wed, 26 Jul 2006 12:12:14 +0200
fs/binfmt_aout.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
index f312103..5638acf 100644
--- a/fs/binfmt_aout.c
+++ b/fs/binfmt_aout.c
@@ -278,6 +278,9 @@ static int load_aout_binary(struct linux
return -ENOEXEC;
}
+ if (!bprm->file->f_op || !bprm->file->f_op->mmap)
+ return -ENOEXEC;
+
fd_offset = N_TXTOFF(ex);
/* Check initial limits. This avoids letting people circumvent
@@ -476,6 +479,9 @@ static int load_aout_library(struct file
goto out;
}
+ if (!file->f_op || !file->f_op->mmap)
+ goto out;
+
if (N_FLAGS(ex))
goto out;
next reply other threads:[~2006-07-26 10:31 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-07-26 10:31 Marcel Holtmann [this message]
2006-07-27 15:07 ` Require mmap handler for a.out executables Christoph Hellwig
2006-07-27 15:18 ` Linus Torvalds
2006-07-27 15:44 ` Marcel Holtmann
2006-07-27 17:21 ` Eugene Teo
[not found] <6COYh-8f0-41@gated-at.bofh.it>
2006-07-27 17:49 ` Bodo Eggert
2006-07-27 17:59 ` Eugene Teo
2006-07-27 18:25 ` Alan Cox
2006-07-27 21:18 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1153909881.746.39.camel@localhost \
--to=marcel@holtmann.org \
--cc=akpm@osdl.org \
--cc=eteo@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=torvalds@osdl.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox