fix prctl privilege escalation and suid_dumpable (CVE-2006-2451)

Based on a patch from Ernie Petrides

During security research, Red Hat discovered a behavioral flaw in core
dump handling. A local user could create a program that would cause a
core file to be dumped into a directory they would not normally have
permissions to write to. This could lead to a denial of service (disk
consumption), or allow the local user to gain root privileges.

Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/kernel/sys.c b/kernel/sys.c
index 105e102e1c4a553b701aa6a1e11d3658a2db41b8..413706a55cb6c579ba4711aa590b82928666c6b5 100644 (file)
--- a/kernel/sys.c
+++ b/kernel/sys.c
@@ -1802,7 +1802,7 @@ asmlinkage long sys_prctl(int option, unsigned long arg2, unsigned long arg3,
                        error = current->mm->dumpable;
                        break;
                case PR_SET_DUMPABLE:
-                       if (arg2 < 0 || arg2 > 2) {
+                       if (arg2 < 0 || arg2 > 1) {
                                error = -EINVAL;
                                break;
                        }