Coredumping design error

Eduardo Tongson propolice at gmail.com
Fri Feb 15 09:51:27 PST 2008


Hello,

Similar to CVE-2007-6206 [1] I also noticed this minor design error in
Dragon Fly BSD when using the default %N.core format.

> id
uid=1001(user) gid=1001(user) groups=1001(user), 0(wheel)
> ./coredumper
Segmentation fault (core dumped)
syslog: Feb 16 09:40:22  kernel: pid 723 (coredumper), uid 1001:
exited on signal 11 (core dumped)
> md5 coredumper.core
MD5 (coredumper.core) = 1a21427d1b52b9bbea22cbf2b207b6f7
> ls -la coredumper.core
-rw-------  1 user  user  1003520 Feb 16 09:40 coredumper.core
> su
Password:
syslog: Feb 16 09:40:56  su: user to root on /dev/ttyd0
# ./coredumper
Segmentation fault (core dumped)
syslog: Feb 16 09:41:14  kernel: pid 728 (coredumper), uid 0: exited
on signal 11 (core dumped)
# md5 coredumper.core
MD5 (coredumper.core) = 68e3e5fee874e688c795537721a6b511
# ls -la coredumper.core
-rw-------  1 user  user  1003520 Feb 16 09:41 coredumper.core
#

I was not able to test the below patch. Trivial enough to fix if broken.

--- kern_sig.c	2008-02-14 13:41:12.000000000 +0800
+++ kern_sig-20080216.c	2008-02-16 01:15:01.000000000 +0800
@@ -2066,6 +2066,12 @@ coredump(struct lwp *lp, int sig)
 		goto out1;
 	}

+        /* Don't dump to files current user does not own */
+	if (vattr.va_uid != p->p_ucred->cr_uid) {
+		error = EFAULT;
+		goto out1;
+	}
+
 	VATTR_NULL(&vattr);
 	vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
 	vattr.va_size = 0;


Regards,
  Ed

[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206>





More information about the Bugs mailing list