On Thu, Nov 19, 2015 at 5:00 PM, Willy Tarreau <w@xxxxxx> wrote: > Hi Kees, > > On Thu, Nov 19, 2015 at 04:10:43PM -0800, Kees Cook wrote: >> Normally, when a user can modify a file that has setuid or setgid bits, >> those bits are cleared when they are not the file owner or a member of the >> group. This is enforced when using write() directly but not when writing >> to a shared mmap on the file. This could allow the file writer to gain >> privileges by changing the binary without losing the setuid/setgid bits. >> >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> >> Cc: stable@xxxxxxxxxxxxxxx >> --- >> mm/memory.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/mm/memory.c b/mm/memory.c >> index deb679c31f2a..4c970a4e0057 100644 >> --- a/mm/memory.c >> +++ b/mm/memory.c >> @@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm, >> >> if (!page_mkwrite) >> file_update_time(vma->vm_file); >> + file_remove_privs(vma->vm_file); > > I thought you said in one of the early mails of this thread that it > didn't work. Or maybe I misunderstood. I had a think-o in my earlier attempts. I understood the meaning of page_mkwrite incorrectly. > Also, don't you think we should move that into the if (!page_mkwrite) > just like for the time update ? Nope, page_mkwrite indicates if there was a vmops call to page_mkwrite. In this case, it means "I will update the file time if the filesystem driver didn't take care of it like it should". For file_remove_privs, we want to always do it, since we should not depend on filesystems to do it. -Kees -- Kees Cook Chrome OS Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>