From 03973b9c824451c1d02fc613e033aa196a15ae3c Mon Sep 17 00:00:00 2001
From: Jerry Jelinek <jerry.jelinek@joyent.com>
Date: Mon, 23 May 2016 22:22:13 -0400
Subject: [PATCH] 6987 disallow setid binaries with $ORIGIN in PT_INTERP
 Reviewed by: Robert Mustacchi <rm@joyent.com> Reviewed by: Joshua M. Clulow
 <jmc@joyent.com> Reviewed by: Dan McDonald <danmcd@omniti.com> Reviewed by:
 Andy Stormont <astormont@racktopsystems.com> Reviewed by: Garrett D'Amore
 <garrett@damore.org> Approved by: Dan McDonald <danmcd@omniti.com>

---
 usr/src/uts/common/exec/elf/elf.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/usr/src/uts/common/exec/elf/elf.c b/usr/src/uts/common/exec/elf/elf.c
index 5f6bee2378..dc04b292b0 100644
--- a/usr/src/uts/common/exec/elf/elf.c
+++ b/usr/src/uts/common/exec/elf/elf.c
@@ -578,6 +578,15 @@ elfexec(vnode_t *vp, execa_t *uap, uarg_t *args, intpdata_t *idatap,
 			if (strncmp(++p, ORIGIN_STR, ORIGIN_STR_SIZE))
 				continue;
 
+			/*
+			 * We don't support $ORIGIN on setid programs to close
+			 * a potential attack vector.
+			 */
+			if ((setid & EXECSETID_SETID) != 0) {
+				error = ENOEXEC;
+				goto bad;
+			}
+
 			curlen = 0;
 			len = p - dlnp - 1;
 			if (len) {
-- 
2.11.4.GIT