The patch titled Subject: mm/mmap.c: clear file privilege bits when mmap writing has been removed from the -mm tree. Its filename was fs-clear-file-privilege-bits-when-mmap-writing.patch This patch was dropped because an updated version will be merged ------------------------------------------------------ From: Kees Cook <keescook@xxxxxxxxxxxx> Subject: mm/mmap.c: clear file privilege bits when mmap writing Normally, when a user can modify a file that has setuid or setgid bits, those bits are cleared when they are not the file owner or a member of the group. This is enforced when using write and truncate but not when writing to a shared mmap on the file. This could allow the file writer to gain privileges by changing a binary without losing the setuid/setgid/caps bits. Changing the bits requires holding inode->i_mutex, so it cannot be done during the page fault (due to mmap_sem being held during the fault). Instead, clear the bits if PROT_WRITE is being used at mmap time. Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx> Cc: Jan Kara <jack@xxxxxxx> Cc: Willy Tarreau <w@xxxxxx> Cc: "Eric W. Biederman" <ebiederm@xxxxxxxxxxxx> Cc: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx> Cc: Oleg Nesterov <oleg@xxxxxxxxxx> Cc: Rik van Riel <riel@xxxxxxxxxx> Cc: Chen Gang <gang.chen.5i5j@xxxxxxxxx> Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx> Cc: Andrea Arcangeli <aarcange@xxxxxxxxxx> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxx> Cc: <stable@xxxxxxxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- mm/mmap.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff -puN mm/mmap.c~fs-clear-file-privilege-bits-when-mmap-writing mm/mmap.c --- a/mm/mmap.c~fs-clear-file-privilege-bits-when-mmap-writing +++ a/mm/mmap.c @@ -1352,6 +1352,17 @@ unsigned long do_mmap(struct file *file, if (locks_verify_locked(file)) return -EAGAIN; + /* + * If we must remove privs, we do it here since + * doing it during page COW is expensive and + * cannot hold inode->i_mutex. + */ + if (prot & PROT_WRITE && !IS_NOSEC(inode)) { + mutex_lock(&inode->i_mutex); + file_remove_privs(file); + mutex_unlock(&inode->i_mutex); + } + vm_flags |= VM_SHARED | VM_MAYSHARE; if (!(file->f_mode & FMODE_WRITE)) vm_flags &= ~(VM_MAYWRITE | VM_SHARED); _ Patches currently in -mm which might be from keescook@xxxxxxxxxxxx are sysctl-enable-strict-writes.patch -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html