exit_notify: kill the wrong capable(CAP_KILL) check (CVE-2009-1337)

CVE-2009-1337

commit 432870dab85a2f69dc417022646cb9a70acf7f94 upstream.

The CAP_KILL check in exit_notify() looks just wrong, kill it.

Whatever logic we have to reset ->exit_signal, the malicious user
can bypass it if it execs the setuid application before exiting.

Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Acked-by: Serge Hallyn <serue@us.ibm.com>
Acked-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/kernel/exit.c b/kernel/exit.c
index 14096a116173a6ae01b35944965d9d363d3c7041..8715136aca464cce1ca8f8969aef4ab519cc20f4 100644 (file)
--- a/kernel/exit.c
+++ b/kernel/exit.c
@@ -938,8 +938,7 @@ static void exit_notify(struct task_struct *tsk, int group_dead)
         */
        if (tsk->exit_signal != SIGCHLD && !task_detached(tsk) &&
            (tsk->parent_exec_id != tsk->real_parent->self_exec_id ||
-            tsk->self_exec_id != tsk->parent_exec_id) &&
-           !capable(CAP_KILL))
+            tsk->self_exec_id != tsk->parent_exec_id))
                tsk->exit_signal = SIGCHLD;
 
        signal = tracehook_notify_death(tsk, &cookie, group_dead);