On Wed, Dec 9, 2015 at 5:21 PM, Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote: >> Changing the bits requires holding inode->i_mutex, so it cannot be done >> during the page fault (due to mmap_sem being held during the fault). We >> could do this during vm_mmap_pgoff, but that would need coverage in >> mprotect as well, but to check for MAP_SHARED, we'd need to hold mmap_sem >> again. We could clear at open() time, but it's possible things are >> accidentally opening with O_RDWR and only reading. Better to clear on >> close and error failures (i.e. an improvement over now, which is not >> clearing at all). >> >> Instead, detect the need to clear the bits during the page fault, and >> actually remove the bits during final fput. Since the file was open for >> writing, it wouldn't have been possible to execute it yet. > > >> >> Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> >> --- >> I think this is the best we can do; everything else is blocked by mmap_sem. > > It should be done at mmap time, before even taking mmap_sem. > > Adding a new field for this to strut file isn't really acceptable. I already covered this: there's no way to handle the mprotect case -- checking for MAP_SHARED is under mmap_sem still. -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@xxxxxxxxx. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: <a href=mailto:"dont@xxxxxxxxx";> email@xxxxxxxxx </a>