content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 8BIT
Subject: RE: [PATCH]: non-readable binaries - binfmt_misc 2.6.0-test4
Date: Thu, 4 Sep 2003 09:30:17 +0300
Message-ID: <2C83850C013A2540861D03054B478C0601CF64F5@hasmsx403.iil.intel.com>
Thread-Topic: [PATCH]: non-readable binaries - binfmt_misc 2.6.0-test4
Thread-Index: AcNwEa03FGABvpAzRpiM4Fh2G8D1tQCm5kNA
From: "Zach, Yoav" <yoav.zach@intel.com>
To: "Alan Cox" <alan@lxorguk.ukuu.org.uk>
Cc: "Linux Kernel Mailing List" <linux-kernel@vger.kernel.org>
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 935
Lines: 28

> You've added a security hole.
> 
> > + 	if (fmt->flags & MISC_FMT_OPEN_BINARY) {
> > +		/* if the binary should be opened on behalf of the
> > +		 * interpreter than keep it open and assign it a
> > descriptor */
> > + 		fd = get_unused_fd ();
> > + 		if (fd < 0) {
> 
> At this point your file table might be shared with another thread (see
> binfmt_elf in 2.4 - I dunno if 2.6 has been fixed for this 
> exploit yet).
> You need to unshare the file table before you modify it 
> during the exec.
> 
> Otherwise it looks fairly sane.
> 

Do you know whether the 'unshare_files' patch was already prepared and
sent to the 2.6 maintainer ? If not then I would like to do it.

Thanks,
Yoav.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/