Require mmap handler for a.out executables

Hi Linus,

with the nasty /proc privilege escalation (CVE-2006-3626) it became
clear that we need to do something more to better protect us against
people exploiting stuff in /proc. Besides the don't allow chmod stuff,
Eugene also proposed to depend the a.out execution on the existence of
the mmap handler. Since we are doing the same for ELF, this makes
totally sense to me.

The attached patch implements the additional check for the mmap handler
and I hope you consider it for upstream inclusion.

Regards

Marcel

[PATCH] Require mmap handler for a.out executables

Files supported by fs/proc/base.c, i.e. /proc/<pid>/*, are not capable
of meeting the validity checks in ELF load_elf_*() handling because they
have no mmap handler which is required by ELF. In order to stop a.out
executables being used as part of an exploit attack against /proc-related
vulnerabilities, we make a.out executables depend on ->mmap() existing.

Signed-off-by: Eugene Teo <[email protected]>
Signed-off-by: Marcel Holtmann <[email protected]>

---
commit 1597cf8405734e4747c808bb7e04115a6670dccf
tree 49050549aee6406dab0c021c5aa4e9bfc337bd8f
parent 44eb123126d289bac398cac0232309c228386671
author Marcel Holtmann <[email protected]> Wed, 26 Jul 2006 12:12:14 +0200
committer Marcel Holtmann <[email protected]> Wed, 26 Jul 2006 12:12:14 +0200

 fs/binfmt_aout.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/fs/binfmt_aout.c b/fs/binfmt_aout.c
index f312103..5638acf 100644
--- a/fs/binfmt_aout.c
+++ b/fs/binfmt_aout.c
@@ -278,6 +278,9 @@ static int load_aout_binary(struct linux
 		return -ENOEXEC;
 	}
 
+	if (!bprm->file->f_op || !bprm->file->f_op->mmap)
+		return -ENOEXEC;
+
 	fd_offset = N_TXTOFF(ex);
 
 	/* Check initial limits. This avoids letting people circumvent
@@ -476,6 +479,9 @@ static int load_aout_library(struct file
 		goto out;
 	}
 
+	if (!file->f_op || !file->f_op->mmap)
+		goto out;
+
 	if (N_FLAGS(ex))
 		goto out;
 

---

• Follow-Ups:
  • Re: Require mmap handler for a.out executables
    • From: Christoph Hellwig <[email protected]>

• Prev by Date: Re: [3/4] kevent: AIO, aio_sendfile() implementation.
• Next by Date: Re: [1/4] kevent: core files.
• Previous by thread: [PATCH] Add parenthesis around arguments in the SH_DIV macro.
• Next by thread: Re: Require mmap handler for a.out executables
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]