Project

General

Profile

Actions

Bug #950

closed

Coredumping design error

Added by ed almost 17 years ago. Updated over 16 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Hello,

Similar to CVE-2007-6206 [1] I also noticed this minor design error in
Dragon Fly BSD when using the default %N.core format.

uid=1001(user) gid=1001(user) groups=1001(user), 0(wheel)

./coredumper

Segmentation fault (core dumped)
syslog: Feb 16 09:40:22 kernel: pid 723 (coredumper), uid 1001:
exited on signal 11 (core dumped)

md5 coredumper.core

MD5 (coredumper.core) = 1a21427d1b52b9bbea22cbf2b207b6f7

ls -la coredumper.core

rw------ 1 user user 1003520 Feb 16 09:40 coredumper.core

su

Password:
syslog: Feb 16 09:40:56 su: user to root on /dev/ttyd0
  1. ./coredumper
    Segmentation fault (core dumped)
    syslog: Feb 16 09:41:14 kernel: pid 728 (coredumper), uid 0: exited
    on signal 11 (core dumped)
  2. md5 coredumper.core
    MD5 (coredumper.core) = 68e3e5fee874e688c795537721a6b511
  3. ls la coredumper.core
    -rw------
    1 user user 1003520 Feb 16 09:41 coredumper.core #

I was not able to test the below patch. Trivial enough to fix if broken.

--- kern_sig.c 2008-02-14 13:41:12.000000000 0800
++ kern_sig-20080216.c 2008-02-16 01:15:01.000000000 +0800
@ -2066,6 +2066,12 @ coredump(struct lwp *lp, int sig)
goto out1;
}

+ /* Don't dump to files current user does not own */
+ if (vattr.va_uid != p->p_ucred->cr_uid) {
+ error = EFAULT;
+ goto out1;
+ }
+
VATTR_NULL(&vattr);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
vattr.va_size = 0;

Regards,
Ed

[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206>

Actions

Also available in: Atom PDF