From: Oleg Nesterov <oleg@redhat.com> Date: Thu, 9 Apr 2009 00:47:18 +0200 Subject: [misc] exit_notify: kill the wrong capable check Message-id: 20090408224718.GA4476@redhat.com O-Subject: [RHEL-5 PATCH] exit_notify: kill the wrong capable(CAP_KILL) check Bugzilla: 494271 RH-Acked-by: Eugene Teo <eugene@redhat.com> RH-Acked-by: Jiri Pirko <jpirko@redhat.com> RH-Acked-by: Anton Arapov <aarapov@redhat.com> RH-Acked-by: Don Howard <dhoward@redhat.com> CVE: CVE-2009-1337 (Trivial backport of upstream (trivial) commit 432870dab85a2f69dc417022646cb9a70acf7f94). The CAP_KILL check in exit_notify() looks just wrong, kill it. Whatever logic we have to reset ->exit_signal, the malicious user can bypass it if it execs the setuid application before exiting. Signed-off-by: Oleg Nesterov <oleg@redhat.com> diff --git a/kernel/exit.c b/kernel/exit.c index db61e3f..6878408 100644 --- a/kernel/exit.c +++ b/kernel/exit.c @@ -779,9 +779,8 @@ static void exit_notify(struct task_struct *tsk) */ if (tsk->exit_signal != SIGCHLD && tsk->exit_signal != -1 && - ( tsk->parent_exec_id != t->self_exec_id || - tsk->self_exec_id != tsk->parent_exec_id) - && !capable(CAP_KILL)) + (tsk->parent_exec_id != t->self_exec_id || + tsk->self_exec_id != tsk->parent_exec_id)) tsk->exit_signal = SIGCHLD; if (!tracehook_notify_death(tsk, &noreap, &cookie)