aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDag-Erling Smørgrav <des@FreeBSD.org>2013-06-18 07:05:51 +0000
committerDag-Erling Smørgrav <des@FreeBSD.org>2013-06-18 07:05:51 +0000
commit26815336a33a7e3e8663e3bce9e2291742ce709e (patch)
tree0a423005fbc38483578e8c9874e33e29fe46418e
parentb1796cb26832ae6f2fc2d8258ce9c272c68db5b6 (diff)
downloadsrc-26815336a33a7e3e8663e3bce9e2291742ce709e.tar.gz
src-26815336a33a7e3e8663e3bce9e2291742ce709e.zip
Fix a bug that allowed a tracing process (e.g. gdb) to write
to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. Security: CVE-2013-2171 Security: FreeBSD-SA-13:06.mmap Approved by: so
Notes
Notes: svn path=/releng/9.1/; revision=251903
-rw-r--r--UPDATING6
-rw-r--r--sys/conf/newvers.sh2
-rw-r--r--sys/vm/vm_map.c6
3 files changed, 13 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index 43b120d5acef..7c45e16b510b 100644
--- a/UPDATING
+++ b/UPDATING
@@ -9,6 +9,12 @@ handbook.
Items affecting the ports and packages system can be found in
/usr/ports/UPDATING. Please read that file before running portupgrade.
+20130618: p4 FreeBSD-SA-13:06.mmap
+ Fix a bug that allowed a tracing process (e.g. gdb) to write
+ to a memory-mapped file in the traced process's address space
+ even if neither the traced process nor the tracing process had
+ write access to that file.
+
20130429: p3 FreeBSD-SA-13:05.nfsserver
Fix a bug that allows NFS clients to issue READDIR on files.
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 21c32eaa7de7..fa1f09988117 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="9.1"
-BRANCH="RELEASE-p3"
+BRANCH="RELEASE-p4"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c
index 5cb1fef1e569..0b93fb51c514 100644
--- a/sys/vm/vm_map.c
+++ b/sys/vm/vm_map.c
@@ -3761,6 +3761,12 @@ RetryLookup:;
vm_map_unlock_read(map);
return (KERN_PROTECTION_FAILURE);
}
+ if ((fault_typea & VM_PROT_COPY) != 0 &&
+ (entry->max_protection & VM_PROT_WRITE) == 0 &&
+ (entry->eflags & MAP_ENTRY_COW) == 0) {
+ vm_map_unlock_read(map);
+ return (KERN_PROTECTION_FAILURE);
+ }
/*
* If this page is not pageable, we have to get it for all possible