+ fs-coredump-prevent-core-path-components.patch added to -mm tree

[akpm@xxxxxxxxxxxxxxxxxxxx]

The patch titled
     Subject: fs/coredump: prevent "" / "." / ".." core path components
has been added to the -mm tree.  Its filename is
     fs-coredump-prevent-core-path-components.patch

This patch should soon appear at
    http://ozlabs.org/~akpm/mmots/broken-out/fs-coredump-prevent-core-path-components.patch
and later at
    http://ozlabs.org/~akpm/mmotm/broken-out/fs-coredump-prevent-core-path-components.patch

Before you just go and hit "reply", please:
   a) Consider who else should be cc'ed
   b) Prefer to cc a suitable mailing list as well
   c) Ideally: find the original patch on the mailing list and do a
      reply-to-all to that, adding suitable additional cc's

*** Remember to use Documentation/SubmitChecklist when testing your code ***

The -mm tree is included into linux-next and is updated
there every 3-4 working days

------------------------------------------------------
From: Jann Horn <jann@xxxxxxxxx>
Subject: fs/coredump: prevent "" / "." / ".." core path components

Let %h and %e print empty values as "!", "." as "!" and
".." as "!.".

This prevents hostnames and comm values that are empty or consist of one
or two dots from changing the directory level at which the corefile will
be stored.

It seems very unlikely that this caused security issues anywhere, so I'm
not requesting a stable backport.

Signed-off-by: Jann Horn <jann@xxxxxxxxx>
Acked-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---

 fs/coredump.c |   20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff -puN fs/coredump.c~fs-coredump-prevent-core-path-components fs/coredump.c
--- a/fs/coredump.c~fs-coredump-prevent-core-path-components
+++ a/fs/coredump.c
@@ -117,6 +117,26 @@ int cn_esc_printf(struct core_name *cn,
 	ret = cn_vprintf(cn, fmt, arg);
 	va_end(arg);
 
+	if (ret == 0) {
+		/*
+		 * Ensure that this coredump name component can't cause the
+		 * resulting corefile path to contain a ".." or "." component.
+		 */
+		if ((cn->used - cur == 1 && cn->corename[cur] == '.') ||
+				(cn->used - cur == 2 && cn->corename[cur] == '.'
+				&& cn->corename[cur+1] == '.'))
+			cn->corename[cur] = '!';
+
+		/*
+		 * Empty names are fishy and could be used to create a "//" in a
+		 * corefile name, causing the coredump to happen one directory
+		 * level too high. Enforce that all components of the core
+		 * pattern are at least one character long.
+		 */
+		if (cn->used == cur)
+			ret = cn_printf(cn, "!");
+	}
+
 	for (; cur < cn->used; ++cur) {
 		if (cn->corename[cur] == '/')
 			cn->corename[cur] = '!';
_

Patches currently in -mm which might be from jann@xxxxxxxxx are

security-let-security-modules-use-ptrace_mode_-with-bitmasks.patch
ptrace-use-fsuid-fsgid-effective-creds-for-fs-access-checks.patch
fs-coredump-prevent-core-path-components.patch

--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html