svn commit: r251901 - in head: . sys/vm

[Dag-Erling Smørgrav]

Author: des
Date: Tue Jun 18 07:02:35 2013
New Revision: 251901
URL: http://svnweb.freebsd.org/changeset/base/251901

Log:
  Fix a bug that allowed a tracing process (e.g. gdb) to write
  to a memory-mapped file in the traced process's address space
  even if neither the traced process nor the tracing process had
  write access to that file.
  
  Security:	CVE-2013-2171
  Security:	FreeBSD-SA-13:06.mmap
  Approved by:	so

Modified:
  head/UPDATING
  head/sys/vm/vm_map.c

Modified: head/UPDATING
==============================================================================
--- head/UPDATING	Tue Jun 18 06:55:58 2013	(r251900)
+++ head/UPDATING	Tue Jun 18 07:02:35 2013	(r251901)
@@ -31,6 +31,12 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10
 	disable the most expensive debugging functionality run
 	"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
 
+20130618:
+	Fix a bug that allowed a tracing process (e.g. gdb) to write
+	to a memory-mapped file in the traced process's address space
+	even if neither the traced process nor the tracing process had
+	write access to that file.
+
 20130615:
 	CVS has been removed from the base system.  An exact copy
 	of the code is available from the devel/cvs port.

Modified: head/sys/vm/vm_map.c
==============================================================================
--- head/sys/vm/vm_map.c	Tue Jun 18 06:55:58 2013	(r251900)
+++ head/sys/vm/vm_map.c	Tue Jun 18 07:02:35 2013	(r251901)
@@ -3807,6 +3807,12 @@ RetryLookup:;
 		vm_map_unlock_read(map);
 		return (KERN_PROTECTION_FAILURE);
 	}
+	if ((fault_typea & VM_PROT_COPY) != 0 &&
+	    (entry->max_protection & VM_PROT_WRITE) == 0 &&
+	    (entry->eflags & MAP_ENTRY_COW) == 0) {
+		vm_map_unlock_read(map);
+		return (KERN_PROTECTION_FAILURE);
+	}
 
 	/*
 	 * If this page is not pageable, we have to get it for all possible