svn commit: r251903 - in releng/9.1: . sys/conf sys/vm

Dag-Erling Smørgrav des at FreeBSD.org
Tue Jun 18 07:05:52 UTC 2013 

Author: des
Date: Tue Jun 18 07:05:51 2013
New Revision: 251903
URL: http://svnweb.freebsd.org/changeset/base/251903

Log:
  Fix a bug that allowed a tracing process (e.g. gdb) to write
  to a memory-mapped file in the traced process's address space
  even if neither the traced process nor the tracing process had
  write access to that file.
  
  Security:	CVE-2013-2171
  Security:	FreeBSD-SA-13:06.mmap
  Approved by:	so

Modified:
  releng/9.1/UPDATING
  releng/9.1/sys/conf/newvers.sh
  releng/9.1/sys/vm/vm_map.c

Modified: releng/9.1/UPDATING
==============================================================================
--- releng/9.1/UPDATING	Tue Jun 18 07:04:19 2013	(r251902)
+++ releng/9.1/UPDATING	Tue Jun 18 07:05:51 2013	(r251903)
@@ -9,6 +9,12 @@ handbook.
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20130618:	p4	FreeBSD-SA-13:06.mmap
+        Fix a bug that allowed a tracing process (e.g. gdb) to write
+        to a memory-mapped file in the traced process's address space
+        even if neither the traced process nor the tracing process had
+        write access to that file.
+
 20130429:	p3	FreeBSD-SA-13:05.nfsserver
 	Fix a bug that allows NFS clients to issue READDIR on files.
 

Modified: releng/9.1/sys/conf/newvers.sh
==============================================================================
--- releng/9.1/sys/conf/newvers.sh	Tue Jun 18 07:04:19 2013	(r251902)
+++ releng/9.1/sys/conf/newvers.sh	Tue Jun 18 07:05:51 2013	(r251903)
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="9.1"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi

Modified: releng/9.1/sys/vm/vm_map.c
==============================================================================
--- releng/9.1/sys/vm/vm_map.c	Tue Jun 18 07:04:19 2013	(r251902)
+++ releng/9.1/sys/vm/vm_map.c	Tue Jun 18 07:05:51 2013	(r251903)
@@ -3761,6 +3761,12 @@ RetryLookup:;
 		vm_map_unlock_read(map);
 		return (KERN_PROTECTION_FAILURE);
 	}
+	if ((fault_typea & VM_PROT_COPY) != 0 &&
+	    (entry->max_protection & VM_PROT_WRITE) == 0 &&
+	    (entry->eflags & MAP_ENTRY_COW) == 0) {
+		vm_map_unlock_read(map);
+		return (KERN_PROTECTION_FAILURE);
+	}
 
 	/*
 	 * If this page is not pageable, we have to get it for all possible

More information about the svn-src-releng mailing list