- shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment.patch removed from -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled

     shmat: stop mprotect from giving write permission to a readonly attachment

has been removed from the -mm tree.  Its filename is

     shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment.patch

This patch was probably dropped from -mm because
it has now been merged into a subsystem tree or
into Linus's tree, or because it was folded into
its parent patch in the -mm tree.


From: Hugh Dickins <hugh@xxxxxxxxxxx>

I found that all of 2.4 and 2.6 have been letting mprotect give write
permission to a readonly attachment of shared memory, whether or not IPC
would give the caller that permission.

SUS says "The behaviour of this function [mprotect] is unspecified if the
mapping was not established by a call to mmap", but I don't think we can
interpret that as allowing it to subvert IPC permissions.

I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
the patch below reproduces that behaviour - mprotect cannot be used to add
write permission to a shared memory segment attached readonly.

This patch is simple, and I'm sure it's what we should have done in 2.4.0:
if you want to go on to switch write permission on and off with mprotect,
just don't attach the segment readonly in the first place.

However, we could have accumulated apps which attach readonly (even though
they would be permitted to attach read/write), and which subsequently use
mprotect to switch write permission on and off: it's not unreasonable.

I was going to add a second ipcperms check in do_shmat, to check for
writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
 But security_ipc_permission might do auditing, and it seems wrong to
report an attempt for write permission when there has been none.  Or we
could flag the vma as SHM, note the shmid or shp in vm_private_data, and
then get mprotect to check.

But the patch below is a lot simpler: I'd rather stick with it, if we can
convince ourselves somehow that it'll be safe.

Signed-off-by: Hugh Dickins <hugh@xxxxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 ipc/shm.c |    2 ++
 1 files changed, 2 insertions(+)

diff -puN ipc/shm.c~shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment ipc/shm.c
--- devel/ipc/shm.c~shmat-stop-mprotect-from-giving-write-permission-to-a-readonly-attachment	2006-04-14 23:42:01.000000000 -0700
+++ devel-akpm/ipc/shm.c	2006-04-14 23:42:01.000000000 -0700
@@ -164,6 +164,8 @@ static int shm_mmap(struct file * file, 
 	ret = shmem_mmap(file, vma);
 	if (ret == 0) {
 		vma->vm_ops = &shm_vm_ops;
+		if (!(vma->vm_flags & VM_WRITE))
+			vma->vm_flags &= ~VM_MAYWRITE;
 		shm_inc(file->f_dentry->d_inode->i_ino);
 	}
 
_

Patches currently in -mm which might be from hugh@xxxxxxxxxxx are

origin.patch
uml-madv_remove-fixes.patch
mm-vm_bug_on.patch
page-migration-make-do_swap_page-redo-the-fault.patch
migration-remove-unnecessary-pageswapcache-checks.patch
migration-remove-unnecessary-pageswapcache-checks-fix.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Kernel Newbies FAQ]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux