linux/fs
Alexey Dobriyan 1fb8449618 [PATCH] core-dumping unreadable binaries via PT_INTERP
Proposed patch to fix #5 in
http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt
aka
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1073

To reproduce, do
* grab poc at the end of advisory.
* add line "eph.p_memsz = 4096;" after "eph.p_filesz = 4096;"
  where first "4096" is something equal to or greater than 4096.
* ./poc /usr/bin/sudo && ls -l

Here I get with 2.6.20-rc5:

 -rw------- 1 ad   ad   102400 2007-01-15 19:17 core
 ---s--x--x 2 root root 101820 2007-01-15 19:15 /usr/bin/sudo

Check for MAY_READ like binfmt_misc.c does.

Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-01-26 13:51:00 -08:00
..
9p [PATCH] 9p: null terminate error strings for debug print 2007-01-26 13:51:00 -08:00
adfs [PATCH] adfs: fix filename handling 2007-01-05 23:55:22 -08:00
affs [PATCH] affs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
afs [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
autofs [PATCH] autofs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
autofs4 [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
befs [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
bfs [PATCH] update Tigran's email addresses 2006-12-13 09:05:53 -08:00
cifs Merge git://git.kernel.org/pub/scm/linux/kernel/git/sfrench/cifs-2.6 2007-01-24 09:46:54 -08:00
coda [PATCH] struct path: convert coda 2006-12-08 08:28:44 -08:00
configfs [PATCH] configfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
cramfs [PATCH] struct path: convert cramfs 2006-12-08 08:28:44 -08:00
debugfs DebugFS : file/directory removal fix 2006-12-13 15:38:45 -08:00
devpts [PATCH] inode-diet: Eliminate i_blksize from the inode structure 2006-09-27 08:26:18 -07:00
dlm [DLM] fix compile warning 2006-12-15 12:51:22 -05:00
ecryptfs [PATCH] ecryptfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
efs [PATCH] struct path: convert efs 2006-12-08 08:28:45 -08:00
exportfs [PATCH] VFS: Make filldir_t and struct kstat deal in 64-bit inode numbers 2006-10-03 08:03:40 -07:00
ext2 [PATCH] LOG2: Implement a general integer log2 facility in the kernel 2006-12-08 08:28:51 -08:00
ext3 [PATCH] LOG2: Implement a general integer log2 facility in the kernel 2006-12-08 08:28:51 -08:00
ext4 [PATCH] ext4: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
fat [PATCH] fat: change uses of f_{dentry,vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
freevxfs [PATCH] struct path: convert freevxfs 2006-12-08 08:28:45 -08:00
fuse [PATCH] fuse: remove clear_page_dirty() call 2006-12-21 09:25:08 -08:00
gfs2 [PATCH] Revert bd_mount_mutex back to a semaphore 2007-01-11 18:18:21 -08:00
hfs [PATCH] struct path: convert hfs 2006-12-08 08:28:45 -08:00
hfsplus [PATCH] struct path: convert hfsplus 2006-12-08 08:28:45 -08:00
hostfs [PATCH] struct path: convert hostfs 2006-12-08 08:28:45 -08:00
hpfs [PATCH] struct path: convert hpfs 2006-12-08 08:28:45 -08:00
hppfs [PATCH] struct path: convert hppfs 2006-12-08 08:28:45 -08:00
hugetlbfs VM: Remove "clear_page_dirty()" and "test_clear_page_dirty()" functions 2006-12-21 09:19:57 -08:00
isofs [PATCH] isofs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
jbd [PATCH] jbd: wait for already submitted t_sync_datalist buffer to complete 2006-12-22 08:55:51 -08:00
jbd2 [PATCH] jbd2: wait for already submitted t_sync_datalist buffer to complete 2006-12-07 08:39:42 -08:00
jffs Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6 2007-01-18 10:34:51 +11:00
jffs2 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux-2.6 2007-01-18 10:34:51 +11:00
jfs [PATCH] Fix JFS after clear_page_dirty() removal 2006-12-21 09:24:03 -08:00
lockd [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
minix [PATCH] struct path: convert minix 2006-12-08 08:28:47 -08:00
msdos [PATCH] fat: add fat_getattr() 2006-11-16 11:43:38 -08:00
ncpfs [PATCH] ncpfs: ensure we free wdog_pid on parse_option or fill_inode failure 2006-12-13 09:05:53 -08:00
nfs [PATCH] NFS: Fix races in nfs_revalidate_mapping() 2007-01-24 12:31:06 -08:00
nfs_common [PATCH] nfs_common endianness annotations 2006-10-20 10:26:41 -07:00
nfsd [PATCH] knfsd: Fix type mismatch with filldir_t used by nfsd 2007-01-26 13:51:00 -08:00
nls [PATCH] fs: make nls_cp936.c handle some U00XY characters and U20AC correctly 2006-12-07 08:39:46 -08:00
ntfs NTFS: Forgot to bump version number in makefile to 2.1.28... 2007-01-18 10:28:18 +00:00
ocfs2 ocfs2: Add backup superblock info to ocfs2_fs.h 2007-01-21 16:20:10 -08:00
openpromfs [PATCH] struct path: convert openpromfs 2006-12-08 08:28:48 -08:00
partitions [MIPS] Rename SNI_RM200_PCI to just SNI_RM preparing for more RM machines 2006-12-09 01:03:58 +00:00
proc [PATCH] Fix NULL ->nsproxy dereference in /proc/*/mounts 2007-01-26 13:50:58 -08:00
qnx4 [PATCH] struct path: convert qnx4 2006-12-08 08:28:48 -08:00
ramfs [PATCH] ramfs breaks without CONFIG_BLOCK 2006-12-30 10:56:42 -08:00
reiserfs [PATCH] resierfs: avoid tail packing if an inode was ever mmapped 2007-01-23 07:52:06 -08:00
romfs [PATCH] struct path: convert romfs 2006-12-08 08:28:49 -08:00
smbfs [PATCH] smbfs: Make conn_pid a struct pid 2006-12-13 09:05:53 -08:00
sysfs [PATCH] sysfs: change uses of f_{dentry, vfsmnt} to use f_path 2006-12-08 08:28:41 -08:00
sysv [PATCH] fs/sysv/: proper prototypes for 2 functions 2006-12-22 08:55:47 -08:00
udf [PATCH] struct path: convert udf 2006-12-08 08:28:50 -08:00
ufs [PATCH] fix garbage instead of zeroes in UFS 2007-01-05 23:55:29 -08:00
vfat [PATCH] fat: add fat_getattr() 2006-11-16 11:43:38 -08:00
xfs [PATCH] Fix XFS after clear_page_dirty() removal 2006-12-21 10:01:08 -08:00
aio.c [PATCH] Fix lock inversion aio_kick_handler() 2006-12-30 10:55:54 -08:00
attr.c
bad_inode.c [PATCH] fix memory corruption from misinterpreted bad_inode_ops return values 2007-01-05 23:55:23 -08:00
binfmt_aout.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
binfmt_elf_fdpic.c [PATCH] core-dumping unreadable binaries via PT_INTERP 2007-01-26 13:51:00 -08:00
binfmt_elf.c [PATCH] core-dumping unreadable binaries via PT_INTERP 2007-01-26 13:51:00 -08:00
binfmt_em86.c
binfmt_flat.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
binfmt_misc.c [PATCH] getting rid of all casts of k[cmz]alloc() calls 2006-12-13 09:05:58 -08:00
binfmt_script.c
binfmt_som.c [PARISC] Fix fs/binfmt_som.c 2006-10-04 06:51:26 -06:00
bio.c [PATCH] optimize o_direct on block devices 2006-12-13 09:05:50 -08:00
block_dev.c [PATCH] fix blk_direct_IO bio preparation 2007-01-23 07:52:06 -08:00
buffer.c Resurrect 'try_to_free_buffers()' VM hackery 2007-01-26 12:47:06 -08:00
char_dev.c [PATCH] BLOCK: Move extern declarations out of fs/*.c into header files [try #6] 2006-09-30 20:52:18 +02:00
compat_ioctl.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
compat.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
dcache.c [PATCH] dcache: avoid RCU for never-hashed dentries 2006-12-07 08:39:41 -08:00
dcookies.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
direct-io.c [PATCH] dio: lock refcount operations 2006-12-10 09:57:21 -08:00
dnotify.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
dquot.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
drop_caches.c
eventpoll.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
exec.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
fcntl.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
fifo.c
file_table.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
file.c [PATCH] fdtable: Provide free_fdtable() wrapper 2006-12-22 08:55:50 -08:00
filesystems.c [PATCH] Ban register_filesystem(NULL); 2006-09-29 09:18:20 -07:00
fs-writeback.c Write back inode data pages even when the inode itself is locked 2007-01-26 12:53:20 -08:00
generic_acl.c [PATCH] Generic infrastructure for acls 2006-09-29 09:18:24 -07:00
inode.c [PATCH] relative atime 2006-12-13 09:05:50 -08:00
inotify_user.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
inotify.c [PATCH] severing fs.h, radix-tree.h -> sched.h 2006-12-04 02:00:24 -05:00
internal.h [PATCH] CONFIG_BLOCK internal.h cleanups 2006-09-30 20:52:32 +02:00
ioctl.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
ioprio.c [PATCH] block layer: ioprio_best function fix 2006-10-12 15:09:51 +02:00
Kconfig [PATCH] Make JFFS depend on CONFIG_BROKEN 2006-12-22 08:55:48 -08:00
Kconfig.binfmt
libfs.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
locks.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
Makefile [PATCH] fsstack: Introduce fsstack_copy_{attr,inode}_* 2006-12-08 08:28:40 -08:00
mbcache.c [PATCH] slab: remove kmem_cache_t 2006-12-07 08:39:25 -08:00
mpage.c [PATCH] BLOCK: Dissociate generic_writepages() from mpage stuff [try #6] 2006-09-30 20:52:26 +02:00
namei.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
namespace.c [PATCH] relative atime 2006-12-13 09:05:50 -08:00
nfsctl.c Remove obsolete #include <linux/config.h> 2006-06-30 19:25:36 +02:00
no-block.c [PATCH] BLOCK: Make it possible to disable the block layer [try #6] 2006-09-30 20:52:31 +02:00
open.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
pipe.c [PATCH] fix leaks on pipe(2) failure exits 2006-12-21 00:16:03 -08:00
pnode.c [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
pnode.h [PATCH] rename struct namespace to struct mnt_namespace 2006-12-08 08:28:51 -08:00
posix_acl.c [PATCH] kmemdup: some users 2006-10-01 00:39:19 -07:00
quota_v1.c
quota_v2.c
quota.c [PATCH] BLOCK: Make it possible to disable the block layer [try #6] 2006-09-30 20:52:31 +02:00
read_write.c [PATCH] one more EXPORT_UNUSED_SYMBOL removal 2006-12-13 09:05:53 -08:00
read_write.h [PATCH] Remove readv/writev methods and use aio_read/aio_write instead 2006-10-01 00:39:28 -07:00
readdir.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
select.c [PATCH] fdtable: Make fdarray and fdsets equal in size 2006-12-10 09:57:22 -08:00
seq_file.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
splice.c [PATCH] constify pipe_buf_operations 2006-12-13 09:05:47 -08:00
stack.c [PATCH] fsstack: Remove inode copy 2006-12-22 08:55:48 -08:00
stat.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
super.c [PATCH] Revert bd_mount_mutex back to a semaphore 2007-01-11 18:18:21 -08:00
sync.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00
utimes.c [PATCH] severing fs.h, radix-tree.h -> sched.h 2006-12-04 02:00:24 -05:00
xattr_acl.c
xattr.c [PATCH] VFS: change struct file to use struct path 2006-12-08 08:28:41 -08:00