Bug 537273 (CVE-2006-6304)

Summary: CVE-2006-6304 kernel: use flag in do_coredump()
Product: [Other] Security Response Reporter: Dave Maley <dmaley>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: anderson, dhoward, jpirko, jskrabal, lwang, mgahagan, mjc, nhorman, security-response-team, tao
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-12-22 19:20:11 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 544188, 544189    
Bug Blocks:    
Attachments:
Description Flags
upstream patch none

Description Dave Maley 2009-11-13 01:13:57 UTC 
Created attachment 369360 [details]
upstream patch

Description of problem:
In do_coredump() the flag variable is set but isn't used during the filp_open() call.  This leaves a re-write attack vulnerability exposed.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6304


Version-Release number of selected component (if applicable):
2.6.18-164.el5


How reproducible:
N/A


Steps to Reproduce:
1. N/A
2.
3.
  
Actual results:


Expected results:


Additional info:
upstream commit: 6d4df677f8a60ea6bc0ef1a596c1a3a79b1d4882
Comment 2 Dave Maley 2009-11-25 17:14:02 UTC 
Hi Furuta-san - This bug is not specific to the 2.6.19 kernel.  The necessary fix was included in 2.6.19.1 and versions prior to that are vulnerable.  Thus RHEL5 is affected.   

This vulnerability could allow a local attacker to modify certain files during a core dump.  According to [1] there are no known exploits of this bug.  So there should be no need to implement a workaround.  However the vulnerability does exist in RHEL5 and so we should include the fix.

I'd also like to receive confirmation from engineering, however I am fairly confident in my findings/analysis.

~dmaley

[1] http://www.securityfocus.com/bid/21591/exploit
Comment 3 Dave Anderson 2009-12-02 14:19:16 UTC 
> I'd also like to receive confirmation from engineering, however I am fairly
> confident in my findings/analysis.

Certainly the bug exists in RHEL5 -- is that what you're asking for confirmation?
Comment 4 Dave Maley 2009-12-02 17:00:38 UTC 
> Certainly the bug exists in RHEL5 -- is that what you're asking for
> confirmation?

yes, but also that there's no apparent risk associated for which we should be providing guidance/workarounds?
Comment 5 Dave Anderson 2009-12-02 18:52:35 UTC 
I have no idea.
Comment 6 Dave Maley 2009-12-03 20:59:02 UTC 
OK then since there's a CVE assigned and the actual risks are unclear I'm adding the "Security" keyword.  If there's something more/else I should do to ensure the security folks are made aware pls let me know.
Comment 13 Eugene Teo (Security Response) 2009-12-04 06:17:14 UTC 
This issue did not affect the versions of Linux kernel as shipped with Red Hat Enterprise Linux 5 when it was first reported back in 2006 with CVE-2006-6304. However, the issue was introduced last July 2008 with a patch for "[misc] pipe support to /proc/sys/net/core_pattern".

In the do_coredump() function, the flag is only set (to O_EXCL) if mm->dumpable is 2.

fs/exec.c:
        /*
         *      We cannot trust fsuid as being the "true" uid of the
         *      process nor do we know its entire history. We only know it
         *      was tainted so we dump it as root in mode 2.
         */ 
        if (mm->dumpable == 2)          /* Setuid core dump mode */
        {
                flag = O_EXCL;          /* Stop rewrite attacks */
                current->fsuid = 0;     /* Dump root private */
        }
        mm->dumpable = 0;

"And then filp_open follows with "flag" totally ignored."

Note that this issue only matters if dumpable is set to 2. The default is 0.

See man 5 proc:
/proc/sys/fs/suid_dumpable (since Linux 2.6.13)
The value in this file determines whether core dump files are produced for set-user-ID or otherwise protected/tainted binaries. Three different integer values can be specified:
[...]
2 ("suidsafe") Any binary which normally would not be dumped (see "0" above) is dumped readable by root only. This allows the user to remove the core dump file but not to read it. For security reasons core dumps in this mode will not overwrite one another or other files. This mode is appropriate when administrators are attempting to debug problems in a normal environment.

Ensure that suid_dumpable is always set to 0.
Comment 14 Neil Horman 2009-12-04 16:40:52 UTC 
So, I'm reviewing this, and while clearly its a good patch to take on priciple, I really don't think the impact of this bug warrants  zstream release. By omitting O_EXCL, we simply inform the the kernel that it shold fail if the attempted file creation already exists.  By not doing that, we simply offer an attacker the opportunity to append data to a core file (by guesssing the file name and creating a very large file (larger than the core), prior to crashing the prcoess whos core will map to that same name.  Potentially irritating, yes, but certainly not serious from a security standpoint.  I get putting it in 5.5, but do we really need to crack open 5.4.z for this?
Comment 15 Eugene Teo (Security Response) 2009-12-07 03:00:40 UTC 
As discussed last week, we will fix this in 5.4.z.
Comment 17 errata-xmlrpc 2010-01-19 23:37:10 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0046 https://rhn.redhat.com/errata/RHSA-2010-0046.html