On Thu, 19 Nov 2015 16:10:43 -0800 Kees Cook <keescook@xxxxxxxxxxxx> wrote: > Normally, when a user can modify a file that has setuid or setgid bits, > those bits are cleared when they are not the file owner or a member of the > group. This is enforced when using write() directly but not when writing > to a shared mmap on the file. This could allow the file writer to gain > privileges by changing the binary without losing the setuid/setgid bits. > > Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> > Cc: stable@xxxxxxxxxxxxxxx > --- > mm/memory.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/memory.c b/mm/memory.c > index deb679c31f2a..4c970a4e0057 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm, > > if (!page_mkwrite) > file_update_time(vma->vm_file); > + file_remove_privs(vma->vm_file); > } > > return VM_FAULT_WRITE; file_remove_privs() is depressingly heavyweight. You'd think there was some more lightweight way of caching the fact that we've already done this. Dumb question: can we run file_remove_privs() once, when the file is opened writably, rather than for each and every write into each page? Also, the proposed patch drops the file_remove_privs() return value on the floor and we just go ahead with the modification. How come? -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>