[PATCH] Don't uselessly export task_struct to userspace in core dumps

task_struct is an internal structure to the kernel with a lot of good information, that is probably interesting in core dumps. However there is no way for user space to know what format that information is in making it useless. I grepped the GDB 6.3 source code and NT_TASKSTRUCT while defined is not used anywhere else. So I would be surprised if anyone notices it is missing. In addition exporting kernel pointers to all the interesting kernel data structures sounds like the very definition of an information leak. I haven't a clue what someone with evil intentions could do with that information, but in any attack against the kernel it looks like this is the perfect tool for aiming that attack. So since NT_TASKSTRUCT is useless as currently defined and is potentially dangerous, let's just not export it. (akpm: Daniel Jacobowitz <dan@debian.org> "would be amazed" if anything was using NT_TASKSTRUCT). Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] Don't uselessly export task_struct to userspace in core dumps
task_struct is an internal structure to the kernel with a lot of good information, that is probably interesting in core dumps. However there is no way for user space to know what format that information is in making it useless. I grepped the GDB 6.3 source code and NT_TASKSTRUCT while defined is not used anywhere else. So I would be surprised if anyone notices it is missing. In addition exporting kernel pointers to all the interesting kernel data structures sounds like the very definition of an information leak. I haven't a clue what someone with evil intentions could do with that information, but in any attack against the kernel it looks like this is the perfect tool for aiming that attack. So since NT_TASKSTRUCT is useless as currently defined and is potentially dangerous, let's just not export it. (akpm: Daniel Jacobowitz <dan@debian.org> "would be amazed" if anything was using NT_TASKSTRUCT). Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Eric W. Biederman · Linus Torvalds
1 parent dfc4f94d2f
Showing 2 changed files with 7 additions and 14 deletions Side-by-side Diff
arch/mips/kernel/irixelf.c
fs/binfmt_elf.c
@@ -1077,8 +1077,8 @@
 	struct elfhdr elf;
 	off_t offset = 0, dataoff;
 	int limit = current->signal->rlim[RLIMIT_CORE].rlim_cur;
-	int numnote = 4;
-	struct memelfnote notes[4];
+	int numnote = 3;
+	struct memelfnote notes[3];
 	struct elf_prstatus prstatus;	/* NT_PRSTATUS */
 	elf_fpregset_t fpu;		/* NT_PRFPREG */
 	struct elf_prpsinfo psinfo;	/* NT_PRPSINFO */
  
@@ -1211,20 +1211,15 @@
 	}
 	strlcpy(psinfo.pr_fname, current->comm, sizeof(psinfo.pr_fname));
  
-	notes[2].name = "CORE";
-	notes[2].type = NT_TASKSTRUCT;
-	notes[2].datasz = sizeof(*current);
-	notes[2].data = current;
-
 	/* Try to dump the FPU. */
 	prstatus.pr_fpvalid = dump_fpu (regs, &fpu);
 	if (!prstatus.pr_fpvalid) {
 		numnote--;
 	} else {
-		notes[3].name = "CORE";
-		notes[3].type = NT_PRFPREG;
-		notes[3].datasz = sizeof(fpu);
-		notes[3].data = &fpu;
+		notes[2].name = "CORE";
+		notes[2].type = NT_PRFPREG;
+		notes[2].datasz = sizeof(fpu);
+		notes[2].data = &fpu;
 	}
  
 	/* Write notes phdr entry. */
@@ -1502,9 +1502,7 @@
 	fill_psinfo(psinfo, current->group_leader, current->mm);
 	fill_note(notes +1, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
  
-	fill_note(notes +2, "CORE", NT_TASKSTRUCT, sizeof(*current), current);
-  
-	numnote = 3;
+	numnote = 2;
  
 	auxv = (elf_addr_t *) current->mm->saved_auxv;
...	...	@@ -1077,8 +1077,8 @@
1077	1077	struct elfhdr elf;
1078	1078	off_t offset = 0, dataoff;
1079	1079	int limit = current->signal->rlim[RLIMIT_CORE].rlim_cur;
1080		- int numnote = 4;
1081		- struct memelfnote notes[4];
	1080	+ int numnote = 3;
	1081	+ struct memelfnote notes[3];
1082	1082	struct elf_prstatus prstatus; /* NT_PRSTATUS */
1083	1083	elf_fpregset_t fpu; /* NT_PRFPREG */
1084	1084	struct elf_prpsinfo psinfo; /* NT_PRPSINFO */
1085	1085
...	...	@@ -1211,20 +1211,15 @@
1211	1211	}
1212	1212	strlcpy(psinfo.pr_fname, current->comm, sizeof(psinfo.pr_fname));
1213	1213
1214		- notes[2].name = "CORE";
1215		- notes[2].type = NT_TASKSTRUCT;
1216		- notes[2].datasz = sizeof(*current);
1217		- notes[2].data = current;
1218		-
1219	1214	/* Try to dump the FPU. */
1220	1215	prstatus.pr_fpvalid = dump_fpu (regs, &fpu);
1221	1216	if (!prstatus.pr_fpvalid) {
1222	1217	numnote--;
1223	1218	} else {
1224		- notes[3].name = "CORE";
1225		- notes[3].type = NT_PRFPREG;
1226		- notes[3].datasz = sizeof(fpu);
1227		- notes[3].data = &fpu;
	1219	+ notes[2].name = "CORE";
	1220	+ notes[2].type = NT_PRFPREG;
	1221	+ notes[2].datasz = sizeof(fpu);
	1222	+ notes[2].data = &fpu;
1228	1223	}
1229	1224
1230	1225	/* Write notes phdr entry. */
...	...	@@ -1502,9 +1502,7 @@
1502	1502	fill_psinfo(psinfo, current->group_leader, current->mm);
1503	1503	fill_note(notes +1, "CORE", NT_PRPSINFO, sizeof(*psinfo), psinfo);
1504	1504
1505		- fill_note(notes +2, "CORE", NT_TASKSTRUCT, sizeof(*current), current);
1506		-
1507		- numnote = 3;
	1505	+ numnote = 2;
1508	1506
1509	1507	auxv = (elf_addr_t *) current->mm->saved_auxv;
1510	1508