On Fri, Jun 22, 2012 at 2:57 PM, Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> wrote: > On Fri, 22 Jun 2012 14:51:54 -0700 > Kees Cook <keescook@xxxxxxxxxxxx> wrote: > >> > And how serious is the security vulnerability, in real-world terms? >> > Serious enough to risk this amount of bustage? >> >> If they're running in mode "2" and they do not have a coredump pipe >> handler defined, local users can gain root access. > > But the kernel can detect this case and avoid it? If we do that at the same > time, we can avoid any mode=2 non-back-compatible breakage? What? Do you mean detect if it's going to disk or to a pipe? suid core dumps going to disk is not safe. The "mode=2" stuff was added in an attempt to make it safe, but it has never actually be safe. Some Linux systems with integrated crash handlers (i.e. core_pattern with a pipe) want to catch crashes even in suid processes, so mode=2 makes sense for them since they're handling the core dump directly, making decisions about it, etc. However, if that core_pattern is not a pipe, this leads to local users being able to trick root processes into doing things to give the user root access. mode=2 to disk _should_ break, is my point. It is not safe. Hence, my original change to just disallow a mode=2 coredump from going to disk. It's fine to throw it at the pipe, so leave that as-is. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
