mudflap accepts options via $MUDFLAP_OPTIONS even when running setuid. -viol-gdb option invokes programs upon error detection which is bad. Note that NULL ptr derefs which are unexploitable in userspace programs, then become exploitable. Fix by either ignoring this variable for setuid's (other options are bad too; what worth a mudflap if it can be disabled for setuids which it should protect) or some other magic.
Changing system() to execve() is not enough since ressources like open files may also leak from a setuid binary.
Created attachment 18631 [details] proposed patch This patch fixes and documents the can-of-wormsness of setuid.
Committed.
Subject: Bug 41433 Author: fche Date: Tue Sep 22 16:17:50 2009 New Revision: 152026 URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=152026 Log: 2009-09-22 Frank Ch. Eigler <fche@redhat.com> PR libmudflap/41433 * mf-runtime.c (__mf_init): Ignore $MUDFLAP_OPTIONS if running setuid or setgid. Modified: trunk/libmudflap/ChangeLog trunk/libmudflap/mf-runtime.c