• Jann Horn's avatar
    fs/coredump: prevent fsuid=0 dumps into user-controlled directories · b80e0e86
    Jann Horn authored
    commit 378c6520 upstream.
    
    This commit fixes the following security hole affecting systems where
    all of the following conditions are fulfilled:
    
     - The fs.suid_dumpable sysctl is set to 2.
     - The kernel.core_pattern sysctl's value starts with "/". (Systems
       where kernel.core_pattern starts with "|/" are not affected.)
     - Unprivileged user namespace creation is permitted. (This is
       true on Linux >=3.8, but some distributions disallow it by
       default using a distro patch.)
    
    Under these conditions, if a program executes under secure exec rules,
    causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
    namespace, changes its root directory and crashes, the coredump will be
    written using fsuid=0 and a path derived from kernel.core_pattern - but
    this path is interpreted relative to the root directory of the process,
    allowing the attacker to control where a coredump will be written with
    root privileges.
    
    To fix the security issue, always interpret core_pattern for dumps that
    are written under SUID_DUMP_ROOT relative to the root directory of init.
    Signed-off-by: default avatarJann Horn <jann@thejh.net>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Cc: Al Viro <viro@zeniv.linux.org.uk>
    Cc: "Eric W. Biederman" <ebiederm@xmission.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    [bwh: Backported to 3.16: adjust context]
    Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    b80e0e86
fhandle.c 6.48 KB