• Jann Horn's avatar
    fs/coredump: prevent fsuid=0 dumps into user-controlled directories · 378c6520
    Jann Horn authored
    This commit fixes the following security hole affecting systems where
    all of the following conditions are fulfilled:
    
     - The fs.suid_dumpable sysctl is set to 2.
     - The kernel.core_pattern sysctl's value starts with "/". (Systems
       where kernel.core_pattern starts with "|/" are not affected.)
     - Unprivileged user namespace creation is permitted. (This is
       true on Linux >=3.8, but some distributions disallow it by
       default using a distro patch.)
    
    Under these conditions, if a program executes under secure exec rules,
    causing it to run with the SUID_DUMP_ROOT flag, then unshares its user
    namespace, changes its root directory and crashes, the coredump will be
    written using fsuid=0 and a path derived from kernel.core_pattern - but
    this path is interpreted relative to the root directory of the process,
    allowing the attacker to control where a coredump will be written with
    root privileges.
    
    To fix the security issue, always interpret core_p...
    378c6520
coredump.c 20.6 KB