Implement AT_SECURE properly.

AT_SECURE auxv entry has been added to the Linux 2.5 kernel to pass a
boolean flag indicating whether secure mode should be enabled. 1 means
that the program has changes its credentials during the execution.
Being exported AT_SECURE used by glibc issetugid() call.

Submitted by:	imp, dchagin
Security:	FreeBSD-SA-16:10.linux
Security:	CVE-2016-1883
This commit is contained in:
Xin LI 2016-01-27 07:20:55 +00:00
parent 6144b07f9b
commit 669414e4fb
3 changed files with 9 additions and 3 deletions

View File

@ -271,6 +271,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
Elf_Addr *pos;
struct ps_strings *arginfo;
struct proc *p;
int issetugid;
p = imgp->proc;
arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
@ -281,6 +282,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
args = (Elf64_Auxargs *)imgp->auxargs;
pos = base + (imgp->args->argc + imgp->args->envc + 2);
issetugid = p->p_flag & P_SUGID ? 1 : 0;
AUXARGS_ENTRY(pos, LINUX_AT_SYSINFO_EHDR,
imgp->proc->p_sysent->sv_shared_page_base);
AUXARGS_ENTRY(pos, LINUX_AT_HWCAP, cpu_feature);
@ -296,7 +298,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);
AUXARGS_ENTRY(pos, AT_EGID, imgp->proc->p_ucred->cr_svgid);
AUXARGS_ENTRY(pos, LINUX_AT_SECURE, 0);
AUXARGS_ENTRY(pos, LINUX_AT_SECURE, issetugid);
AUXARGS_ENTRY(pos, LINUX_AT_PLATFORM, PTROUT(linux_platform));
AUXARGS_ENTRY(pos, LINUX_AT_RANDOM, imgp->canary);
if (imgp->execpathp != 0)

View File

@ -230,6 +230,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
Elf32_Addr *base;
Elf32_Addr *pos;
struct linux32_ps_strings *arginfo;
int issetugid;
arginfo = (struct linux32_ps_strings *)LINUX32_PS_STRINGS;
@ -239,6 +240,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
args = (Elf32_Auxargs *)imgp->auxargs;
pos = base + (imgp->args->argc + imgp->args->envc + 2);
issetugid = imgp->proc->p_flag & P_SUGID ? 1 : 0;
AUXARGS_ENTRY_32(pos, LINUX_AT_SYSINFO_EHDR,
imgp->proc->p_sysent->sv_shared_page_base);
AUXARGS_ENTRY_32(pos, LINUX_AT_SYSINFO, linux32_vsyscall);
@ -261,7 +263,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
AUXARGS_ENTRY_32(pos, AT_FLAGS, args->flags);
AUXARGS_ENTRY_32(pos, AT_ENTRY, args->entry);
AUXARGS_ENTRY_32(pos, AT_BASE, args->base);
AUXARGS_ENTRY_32(pos, LINUX_AT_SECURE, 0);
AUXARGS_ENTRY_32(pos, LINUX_AT_SECURE, issetugid);
AUXARGS_ENTRY_32(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
AUXARGS_ENTRY_32(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
AUXARGS_ENTRY_32(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);

View File

@ -238,11 +238,13 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
Elf32_Addr *uplatform;
struct ps_strings *arginfo;
register_t *pos;
int issetugid;
KASSERT(curthread->td_proc == imgp->proc,
("unsafe elf_linux_fixup(), should be curproc"));
p = imgp->proc;
issetugid = imgp->proc->p_flag & P_SUGID ? 1 : 0;
arginfo = (struct ps_strings *)p->p_sysent->sv_psstrings;
uplatform = (Elf32_Addr *)((caddr_t)arginfo - linux_szplatform);
args = (Elf32_Auxargs *)imgp->auxargs;
@ -270,7 +272,7 @@ elf_linux_fixup(register_t **stack_base, struct image_params *imgp)
AUXARGS_ENTRY(pos, AT_FLAGS, args->flags);
AUXARGS_ENTRY(pos, AT_ENTRY, args->entry);
AUXARGS_ENTRY(pos, AT_BASE, args->base);
AUXARGS_ENTRY(pos, LINUX_AT_SECURE, 0);
AUXARGS_ENTRY(pos, LINUX_AT_SECURE, issetugid);
AUXARGS_ENTRY(pos, AT_UID, imgp->proc->p_ucred->cr_ruid);
AUXARGS_ENTRY(pos, AT_EUID, imgp->proc->p_ucred->cr_svuid);
AUXARGS_ENTRY(pos, AT_GID, imgp->proc->p_ucred->cr_rgid);