Sophie: kernel-2.6.18-128.1.10.el5 src

kernel-2.6.18-128.1.10.el5.src.rpm

From: Jerome Marchand <jmarchan@redhat.com>
Date: Mon, 14 Jul 2008 11:26:39 +0200
Subject: [misc] core dump: remain dumpable
Message-id: 487B1BCF.2000508@redhat.com
O-Subject: [RHEL5.3 PATCH] BZ437958 core dump: remain dumpable
Bugzilla: 437958
RH-Acked-by: Roland McGrath <roland@redhat.com>

Bugzilla:
https://bugzilla.redhat.com/show_bug.cgi?id=437958

Description (from git commit):
The coredump code always calls set_dumpable(0) when it starts (even if
RLIMIT_CORE prevents any core from being dumped).  The effect of this
(via task_dumpable) is to make /proc/pid/* files owned by root instead
of the user, so the user can no longer examine his own process--in a
case where there was never any privileged data to protect.  This
affects e.g. auxv, environ, fd; in Fedora (execshield) kernels, also
maps.  In practice, you can only notice this when a debugger has
requested PTRACE_EVENT_EXIT tracing.

set_dumpable was only used in do_coredump for synchronization and not
intended for any security purpose.  (It doesn't secure anything that
wasn't already unsecured when a process dies by SIGTERM instead of
SIGQUIT.)

This changes do_coredump to check the core_waiters count as the means
of synchronization, which is sufficient.  Now we leave the "dumpable"
bits alone.

Upstream status:
commit 00ec99da43a7c2aed46c6595aa271b84bb1b1462

Brew build:
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1383466

Test status:
Built on all arch, tested on i686 using the reproducer attached to
bugzilla.

Regards,
Jerome

diff --git a/fs/exec.c b/fs/exec.c
index 0581532..966613c 100644
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -1476,7 +1476,10 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
 	if (current->tux_exit)
 		current->tux_exit();
 	down_write(&mm->mmap_sem);
-	if (!mm->dumpable) {
+	/*
+	 * If another thread got here first, or we are not dumpable, bail out.
+	 */
+	if (mm->core_waiters || !mm->dumpable) {
 		up_write(&mm->mmap_sem);
 		goto fail;
 	}
@@ -1490,7 +1493,6 @@ int do_coredump(long signr, int exit_code, struct pt_regs * regs)
 		flag = O_EXCL;		/* Stop rewrite attacks */
 		current->fsuid = 0;	/* Dump root private */
 	}
-	mm->dumpable = 0;
 
 	retval = coredump_wait(exit_code);
 	if (retval < 0)