6987 disallow setid binaries with $ORIGIN in PT_INTERP

Reviewed by: Robert Mustacchi <rm@joyent.com> Reviewed by: Joshua M. Clulow <jmc@joyent.com> Reviewed by: Dan McDonald <danmcd@omniti.com> Reviewed by: Andy Stormont <astormont@racktopsystems.com> Reviewed by: Garrett D'Amore <garrett@damore.org> Approved by: Dan McDonald <danmcd@omniti.com>
author: Jerry Jelinek <jerry.jelinek@joyent.com> 2016-05-23 22:22:13 -0400
committer: Dan McDonald <danmcd@omniti.com> 2016-05-23 22:22:13 -0400
commit: 03973b9c824451c1d02fc613e033aa196a15ae3c (patch)
tree: 1bf25f3d560462fbdf90222639d1944c959f7059 /usr
parent: 63364b0ee2604783e7a55f8425888867768eafa4 (diff)
download: illumos-joyent-03973b9c824451c1d02fc613e033aa196a15ae3c.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/usr/src/uts/common/exec/elf/elf.c b/usr/src/uts/common/exec/elf/elf.c
index 5f6bee2378..dc04b292b0 100644
--- a/usr/src/uts/common/exec/elf/elf.c
+++ b/usr/src/uts/common/exec/elf/elf.c
@@ -578,6 +578,15 @@ elfexec(vnode_t *vp, execa_t *uap, uarg_t *args, intpdata_t *idatap,
 			if (strncmp(++p, ORIGIN_STR, ORIGIN_STR_SIZE))
 				continue;
 
+			/*
+			 * We don't support $ORIGIN on setid programs to close
+			 * a potential attack vector.
+			 */
+			if ((setid & EXECSETID_SETID) != 0) {
+				error = ENOEXEC;
+				goto bad;
+			}
+
 			curlen = 0;
 			len = p - dlnp - 1;
 			if (len) {
author	Jerry Jelinek <jerry.jelinek@joyent.com>	2016-05-23 22:22:13 -0400
committer	Dan McDonald <danmcd@omniti.com>	2016-05-23 22:22:13 -0400
commit	03973b9c824451c1d02fc613e033aa196a15ae3c (patch)
tree	1bf25f3d560462fbdf90222639d1944c959f7059 /usr
parent	63364b0ee2604783e7a55f8425888867768eafa4 (diff)
download	illumos-joyent-03973b9c824451c1d02fc613e033aa196a15ae3c.tar.gz