diff options
author | des <des@FreeBSD.org> | 2013-06-18 07:02:35 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2013-06-18 07:02:35 +0000 |
commit | f5b61fedc22097e0cad65f9e709c47367c42d22a (patch) | |
tree | 128a935a2ea1cc348d2df9fe239a666ee16d9f5d | |
parent | 4d601c587e46dd558eb1f9adc278ec81d0810c8a (diff) | |
download | FreeBSD-src-f5b61fedc22097e0cad65f9e709c47367c42d22a.zip FreeBSD-src-f5b61fedc22097e0cad65f9e709c47367c42d22a.tar.gz |
Fix a bug that allowed a tracing process (e.g. gdb) to write
to a memory-mapped file in the traced process's address space
even if neither the traced process nor the tracing process had
write access to that file.
Security: CVE-2013-2171
Security: FreeBSD-SA-13:06.mmap
Approved by: so
-rw-r--r-- | UPDATING | 6 | ||||
-rw-r--r-- | sys/vm/vm_map.c | 6 |
2 files changed, 12 insertions, 0 deletions
@@ -31,6 +31,12 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10.x IS SLOW: disable the most expensive debugging functionality run "ln -s 'abort:false,junk:false' /etc/malloc.conf".) +20130618: + Fix a bug that allowed a tracing process (e.g. gdb) to write + to a memory-mapped file in the traced process's address space + even if neither the traced process nor the tracing process had + write access to that file. + 20130615: CVS has been removed from the base system. An exact copy of the code is available from the devel/cvs port. diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index a9ae803..1fee839 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -3807,6 +3807,12 @@ RetryLookup:; vm_map_unlock_read(map); return (KERN_PROTECTION_FAILURE); } + if ((fault_typea & VM_PROT_COPY) != 0 && + (entry->max_protection & VM_PROT_WRITE) == 0 && + (entry->eflags & MAP_ENTRY_COW) == 0) { + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } /* * If this page is not pageable, we have to get it for all possible |