From: Danny Feng <dfeng@redhat.com>
Date: Mon, 14 Dec 2009 09:25:11 -0500
Subject: [fs] respect flag in do_coredump
Message-id: <20091214092506.3341.1237.sendpatchset@dhcp-65-180.nay.redhat.com>
Patchwork-id: 21914
O-Subject: [PATCH RHEL5.5] CVE-2009-4036: use flag in do_coredump()
Bugzilla: 544189
CVE: CVE-2009-4036
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: Dave Anderson <anderson@redhat.com>
RH-Acked-by: Dean Nelson <dnelson@redhat.com>
RH-Acked-by: Eugene Teo <eugene@redhat.com>

RHBZ#:
https://bugzilla.redhat.com/show_bug.cgi?id=544189

Description:
In do_coredump() the flag variable is set but isn't used during the filp_open()
call.  This leaves a re-write attack vulnerability exposed.

This issue did not affect the versions of Linux kernel as shipped with Red Hat
Enterprise Linux 5 when it was first reported back in 2006 with CVE-2006-6304.
However, the issue was introduced last July 2008 with a patch for "[misc] pipe
support to /proc/sys/net/core_pattern". It was assigned as CVE-2009-4036, and
only affected our kernel.

Upstream status:
commit 6d4df6

Brew Build:
https://brewweb.devel.redhat.com/taskinfo?taskID=2149236

diff --git a/fs/exec.c b/fs/exec.c
index 2af9026..c6b2570 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1774,7 +1774,8 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
 		}
 	} else if (core_limit >= binfmt->min_coredump)
 		file = filp_open(corename,
-				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE, 0600);
+				 O_CREAT | 2 | O_NOFOLLOW | O_LARGEFILE | flag,
+				 0600);
 
 end_open:
 	cprm.file = file;