Bug #950
closedCoredumping design error
0%
Description
Hello,
Similar to CVE-2007-6206 [1] I also noticed this minor design error in
Dragon Fly BSD when using the default %N.core format.
uid=1001(user) gid=1001(user) groups=1001(user), 0(wheel)
./coredumper
Segmentation fault (core dumped)
syslog: Feb 16 09:40:22 kernel: pid 723 (coredumper), uid 1001:
exited on signal 11 (core dumped)
md5 coredumper.core
MD5 (coredumper.core) = 1a21427d1b52b9bbea22cbf2b207b6f7
ls -la coredumper.core
rw------ 1 user user 1003520 Feb 16 09:40 coredumper.core
Password:su
syslog: Feb 16 09:40:56 su: user to root on /dev/ttyd0
- ./coredumper
Segmentation fault (core dumped)
syslog: Feb 16 09:41:14 kernel: pid 728 (coredumper), uid 0: exited
on signal 11 (core dumped) - md5 coredumper.core
MD5 (coredumper.core) = 68e3e5fee874e688c795537721a6b511 - ls
la coredumper.core1 user user 1003520 Feb 16 09:41 coredumper.core #
-rw------
I was not able to test the below patch. Trivial enough to fix if broken.
--- kern_sig.c 2008-02-14 13:41:12.000000000 0800
++ kern_sig-20080216.c 2008-02-16 01:15:01.000000000 +0800@ -2066,6 +2066,12
@ coredump(struct lwp *lp, int sig)
goto out1;
}
+ /* Don't dump to files current user does not own */
+ if (vattr.va_uid != p->p_ucred->cr_uid) {
+ error = EFAULT;
+ goto out1;
+ }
+
VATTR_NULL(&vattr);
vn_lock(vp, LK_EXCLUSIVE | LK_RETRY);
vattr.va_size = 0;
Regards,
Ed
[1] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6206>