svn commit: r251901 - in head: . sys/vm
Dag-Erling Smørgrav
des at FreeBSD.org
Tue Jun 18 07:02:35 UTC 2013
Author: des
Date: Tue Jun 18 07:02:35 2013
New Revision: 251901
URL: http://svnweb.freebsd.org/changeset/base/251901
Log:
Fix a bug that allowed a tracing process (e.g. gdb) to write
to a memory-mapped file in the traced process's address space
even if neither the traced process nor the tracing process had
write access to that file.
Security: CVE-2013-2171
Security: FreeBSD-SA-13:06.mmap
Approved by: so
Modified:
head/UPDATING
head/sys/vm/vm_map.c
Modified: head/UPDATING
==============================================================================
--- head/UPDATING Tue Jun 18 06:55:58 2013 (r251900)
+++ head/UPDATING Tue Jun 18 07:02:35 2013 (r251901)
@@ -31,6 +31,12 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 10
disable the most expensive debugging functionality run
"ln -s 'abort:false,junk:false' /etc/malloc.conf".)
+20130618:
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file.
+
20130615:
CVS has been removed from the base system. An exact copy
of the code is available from the devel/cvs port.
Modified: head/sys/vm/vm_map.c
==============================================================================
--- head/sys/vm/vm_map.c Tue Jun 18 06:55:58 2013 (r251900)
+++ head/sys/vm/vm_map.c Tue Jun 18 07:02:35 2013 (r251901)
@@ -3807,6 +3807,12 @@ RetryLookup:;
vm_map_unlock_read(map);
return (KERN_PROTECTION_FAILURE);
}
+ if ((fault_typea & VM_PROT_COPY) != 0 &&
+ (entry->max_protection & VM_PROT_WRITE) == 0 &&
+ (entry->eflags & MAP_ENTRY_COW) == 0) {
+ vm_map_unlock_read(map);
+ return (KERN_PROTECTION_FAILURE);
+ }
/*
* If this page is not pageable, we have to get it for all possible
More information about the svn-src-all
mailing list