Coredumping design error
Eduardo Tongson
propolice at gmail.com
Fri Feb 15 09:51:27 PST 2008
Hello,
Similar to CVE-2007-6206 [1] I also noticed this minor design error in
Dragon Fly BSD when using the default %N.core format.
> id
uid=1001(user) gid=1001(user) groups=1001(user), 0(wheel)
> ./coredumper
Segmentation fault (core dumped)
syslog: Feb 16 09:40:22 kernel: pid 723 (coredumper), uid 1001:
exited on signal 11 (core dumped)
> md5 coredumper.core
MD5 (coredumper.core) = 1a21427d1b52b9bbea22cbf2b207b6f7
> ls -la coredumper.core
-rw------- 1 user user 1003520 Feb 16 09:40 coredumper.core
> su
Password:
syslog: Feb 16 09:40:56 su: user to root on /dev/ttyd0
# ./coredumper
Segmentation fault (core dumped)
syslog: Feb 16 09:41:14 kernel: pid 728 (coredumper), uid 0: exited
on signal 11 (core dumped)
# md5 coredumper.core
MD5 (coredumper.core) = 68e3e5fee874e688c795537721a6b511
# ls -la coredumper.core
-rw------- 1 user user 1003520 Feb 16 09:41 coredumper.core
#
I was not able to test the below patch. Trivial enough to fix if broken.
--- kern_sig.c 2008-02-14 13:41:12.000000000 +0800
+++ kern_sig-20080216.c 2008-02-16 01:15:01.000000000 +0800
@@ -2066,6 +2066,12 @@ coredump(struct lwp *lp, int sig)
goto out1;
}
+ /* Don't dump to files current user does not own */
+ if (vattr.va_uid != p->p_ucred->cr_uid) {
+ error = EFAULT;
+ goto out1;
+ }
+
VATTR_NULL(&vattr);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
vattr.va_size = 0;
Regards,
Ed
[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206>
More information about the Bugs
mailing list