Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 27 Jan 2016 07:20:56 +0000 (UTC)
From:      Xin LI <delphij@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r294900 - in head/sys: amd64/linux amd64/linux32 i386/linux
Message-ID:  <201601270720.u0R7KuA5048375@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: delphij
Date: Wed Jan 27 07:20:55 2016
New Revision: 294900
URL: https://svnweb.freebsd.org/changeset/base/294900

Log:
  Implement AT_SECURE properly.
  
  AT_SECURE auxv entry has been added to the Linux 2.5 kernel to pass a
  boolean flag indicating whether secure mode should be enabled. 1 means
  that the program has changes its credentials during the execution.
  Being exported AT_SECURE used by glibc issetugid() call.
  
  Submitted by:	imp, dchagin
  Security:	FreeBSD-SA-16:10.linux
  Security:	CVE-2016-1883

Modified:
  head/sys/amd64/linux/linux_sysvec.c
  head/sys/amd64/linux32/linux32_sysvec.c
  head/sys/i386/linux/linux_sysvec.c

Modified: head/sys/amd64/linux/linux_sysvec.c
==============================================================================
--- head/sys/amd64/linux/linux_sysvec.c	Wed Jan 27 07:06:49 2016	(r294899)
+++ head/sys/amd64/linux/linux_sysvec.c	Wed Jan 27 07:20:55 2016	(r294900)
@@ -271,6 +271,7 @@ elf_linux_fixup(register_t **stack_base,
 	Elf_Addr *pos;
 	struct ps_strings *arginfo;
 	struct proc *p;
+	int issetugid;
 
 	p = imgp->proc;
 	arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
@@ -281,6 +282,7 @@ elf_linux_fixup(register_t **stack_base,
 	args = (Elf64_Auxargs *)imgp->auxargs;
 	pos = base + (imgp->args->argc + imgp->args->envc + 2);
 
+	issetugid = p->p_flag & P_SUGID ? 1 : 0;
 	AUXARGS_ENTRY(pos, LINUX_AT_SYSINFO_EHDR,
 	    imgp->proc->p_sysent->sv_shared_page_base);
 	AUXARGS_ENTRY(pos, LINUX_AT_HWCAP, cpu_feature);
@@ -296,7 +298,7 @@ elf_linux_fixup(register_t **stack_base,
 	AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
 	AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);
 	AUXARGS_ENTRY(pos, AT_EGID, imgp->proc->p_ucred->cr_svgid);
-	AUXARGS_ENTRY(pos, LINUX_AT_SECURE, 0);
+	AUXARGS_ENTRY(pos, LINUX_AT_SECURE, issetugid);
 	AUXARGS_ENTRY(pos, LINUX_AT_PLATFORM, PTROUT(linux_platform));
 	AUXARGS_ENTRY(pos, LINUX_AT_RANDOM, imgp->canary);
 	if (imgp->execpathp != 0)

Modified: head/sys/amd64/linux32/linux32_sysvec.c
==============================================================================
--- head/sys/amd64/linux32/linux32_sysvec.c	Wed Jan 27 07:06:49 2016	(r294899)
+++ head/sys/amd64/linux32/linux32_sysvec.c	Wed Jan 27 07:20:55 2016	(r294900)
@@ -230,6 +230,7 @@ elf_linux_fixup(register_t **stack_base,
 	Elf32_Addr *base;
 	Elf32_Addr *pos;
 	struct linux32_ps_strings *arginfo;
+	int issetugid;
 
 	arginfo = (struct linux32_ps_strings *)LINUX32_PS_STRINGS;
 
@@ -239,6 +240,7 @@ elf_linux_fixup(register_t **stack_base,
 	args = (Elf32_Auxargs *)imgp->auxargs;
 	pos = base + (imgp->args->argc + imgp->args->envc + 2);
 
+	issetugid = imgp->proc->p_flag & P_SUGID ? 1 : 0;
 	AUXARGS_ENTRY_32(pos, LINUX_AT_SYSINFO_EHDR,
 	    imgp->proc->p_sysent->sv_shared_page_base);
 	AUXARGS_ENTRY_32(pos, LINUX_AT_SYSINFO, linux32_vsyscall);
@@ -261,7 +263,7 @@ elf_linux_fixup(register_t **stack_base,
 	AUXARGS_ENTRY_32(pos, AT_FLAGS, args->flags);
 	AUXARGS_ENTRY_32(pos, AT_ENTRY, args->entry);
 	AUXARGS_ENTRY_32(pos, AT_BASE, args->base);
-	AUXARGS_ENTRY_32(pos, LINUX_AT_SECURE, 0);
+	AUXARGS_ENTRY_32(pos, LINUX_AT_SECURE, issetugid);
 	AUXARGS_ENTRY_32(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
 	AUXARGS_ENTRY_32(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
 	AUXARGS_ENTRY_32(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);

Modified: head/sys/i386/linux/linux_sysvec.c
==============================================================================
--- head/sys/i386/linux/linux_sysvec.c	Wed Jan 27 07:06:49 2016	(r294899)
+++ head/sys/i386/linux/linux_sysvec.c	Wed Jan 27 07:20:55 2016	(r294900)
@@ -238,11 +238,13 @@ elf_linux_fixup(register_t **stack_base,
 	Elf32_Addr *uplatform;
 	struct ps_strings *arginfo;
 	register_t *pos;
+	int issetugid;
 
 	KASSERT(curthread->td_proc == imgp->proc,
 	    ("unsafe elf_linux_fixup(), should be curproc"));
 
 	p = imgp->proc;
+	issetugid = imgp->proc->p_flag & P_SUGID ? 1 : 0;
 	arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
 	uplatform = (Elf32_Addr *)((caddr_t)arginfo - linux_szplatform);
 	args = (Elf32_Auxargs *)imgp->auxargs;
@@ -270,7 +272,7 @@ elf_linux_fixup(register_t **stack_base,
 	AUXARGS_ENTRY(pos, AT_FLAGS, args->flags);
 	AUXARGS_ENTRY(pos, AT_ENTRY, args->entry);
 	AUXARGS_ENTRY(pos, AT_BASE, args->base);
-	AUXARGS_ENTRY(pos, LINUX_AT_SECURE, 0);
+	AUXARGS_ENTRY(pos, LINUX_AT_SECURE, issetugid);
 	AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
 	AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
 	AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601270720.u0R7KuA5048375>