[patch 85/88] exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)

[Greg KH]

2.6.28-stable review patch.  If anyone has any objections, please let us know.

------------------

From: Oleg Nesterov <oleg@xxxxxxxxxx>

CVE-2009-1337

commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream.

The CAP_KILL check in exit_notify() looks just wrong, kill it.

Whatever logic we have to reset ->exit_signal, the malicious user
can bypass it if it execs the setuid application before exiting.

Signed-off-by: Oleg Nesterov <oleg@xxxxxxxxxx>
Acked-by: Serge Hallyn <serue@xxxxxxxxxx>
Acked-by: Roland McGrath <roland@xxxxxxxxxx>
Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>

---
 kernel/exit.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -942,8 +942,7 @@ static void exit_notify(struct task_stru
 	 */
 	if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
 	    (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
-	     tsk->self_exec_id != tsk->parent_exec_id) &&
-	    !capable(CAP_KILL))
+	     tsk->self_exec_id != tsk->parent_exec_id))
 		tsk->exit_signal = SIGCHLD;
 
 	signal = tracehook_notify_death(tsk, &cookie, group_dead);


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/