svn commit: r251902 - in stable/9: . sys/vm

[Dag-Erling Smørgrav]

Author: des
Date: Tue Jun 18 07:04:19 2013
New Revision: 251902
URL: http://svnweb.freebsd.org/changeset/base/251902

Log:
  Fix a bug that allowed a tracing process (e.g. gdb) to write
  to a memory-mapped file in the traced process's address space
  even if neither the traced process nor the tracing process had
  write access to that file.
  
  Security:	CVE-2013-2171
  Security:	FreeBSD-SA-13:06.mmap
  Approved by:	so

Modified:
  stable/9/UPDATING
  stable/9/sys/vm/vm_map.c

Modified: stable/9/UPDATING
==============================================================================
--- stable/9/UPDATING	Tue Jun 18 07:02:35 2013	(r251901)
+++ stable/9/UPDATING	Tue Jun 18 07:04:19 2013	(r251902)
@@ -11,6 +11,12 @@ handbook:
 Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running portupgrade.
 
+20130618:
+        Fix a bug that allowed a tracing process (e.g. gdb) to write
+        to a memory-mapped file in the traced process's address space
+        even if neither the traced process nor the tracing process had
+        write access to that file.
+
 20130605:
 	Added ZFS TRIM support which is enabled by default. To disable
 	ZFS TRIM support set vfs.zfs.trim.enabled=0 in loader.conf.

Modified: stable/9/sys/vm/vm_map.c
==============================================================================
--- stable/9/sys/vm/vm_map.c	Tue Jun 18 07:02:35 2013	(r251901)
+++ stable/9/sys/vm/vm_map.c	Tue Jun 18 07:04:19 2013	(r251902)
@@ -3799,6 +3799,12 @@ RetryLookup:;
 		vm_map_unlock_read(map);
 		return (KERN_PROTECTION_FAILURE);
 	}
+	if ((fault_typea & VM_PROT_COPY) != 0 &&
+	    (entry->max_protection & VM_PROT_WRITE) == 0 &&
+	    (entry->eflags & MAP_ENTRY_COW) == 0) {
+		vm_map_unlock_read(map);
+		return (KERN_PROTECTION_FAILURE);
+	}
 
 	/*
 	 * If this page is not pageable, we have to get it for all possible