Fix a bug that allowed a tracing process (e.g. gdb) to write

to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. Security: CVE-2013-2171 Security: FreeBSD-SA-13:06.mmap Approved by: so
svn path=/head/; revision=251901
2013-06-18 07:02:35 +00:00 · 2013-06-18 07:02:35 +00:00 · 5b3e02570a · 2020-12-20 02:59:44 +00:00
commit 5b3e02570a
parent 51091a0763
2 changed files with 12 additions and 0 deletions
--- a/6
+++ b/6
@ -31,6 +31,12 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10.x IS SLOW:
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)

+20130618:
+	Fix a bug that allowed a tracing process (e.g. gdb) to write
+	to a memory-mapped file in the traced process's address space
+	even if neither the traced process nor the tracing process had
+	write access to that file.
+
 20130615:
 	CVS has been removed from the base system.  An exact copy
 	of the code is available from the devel/cvs port.
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@ -3807,6 +3807,12 @@ RetryLookup:;
 		vm_map_unlock_read(map);
 		return (KERN_PROTECTION_FAILURE);
 	}
+	if ((fault_typea & VM_PROT_COPY) != 0 &&
+	    (entry->max_protection & VM_PROT_WRITE) == 0 &&
+	    (entry->eflags & MAP_ENTRY_COW) == 0) {
+		vm_map_unlock_read(map);
+		return (KERN_PROTECTION_FAILURE);
+	}

 	/*
 	 * If this page is not pageable, we have to get it for all possible