From 9b83d65894bb5d142e6b390ebf9a681bbfb945b0 Mon Sep 17 00:00:00 2001 From: des Date: Tue, 18 Jun 2013 07:05:51 +0000 Subject: [PATCH] Fix a bug that allowed a tracing process (e.g. gdb) to write to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. Security: CVE-2013-2171 Security: FreeBSD-SA-13:06.mmap Approved by: so git-svn-id: svn://svn.freebsd.org/base/releng/9.1@251903 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 6 ++++++ sys/conf/newvers.sh | 2 +- sys/vm/vm_map.c | 6 ++++++ 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index 43b120d5..7c45e16b 100644 --- a/UPDATING +++ b/UPDATING @@ -9,6 +9,12 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20130618: p4 FreeBSD-SA-13:06.mmap + Fix a bug that allowed a tracing process (e.g. gdb) to write + to a memory-mapped file in the traced process's address space + even if neither the traced process nor the tracing process had + write access to that file. + 20130429: p3 FreeBSD-SA-13:05.nfsserver Fix a bug that allows NFS clients to issue READDIR on files. diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 21c32eaa..fa1f0998 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi diff --git a/sys/vm/vm_map.c b/sys/vm/vm_map.c index 5cb1fef1..0b93fb51 100644 --- a/sys/vm/vm_map.c +++ b/sys/vm/vm_map.c @@ -3761,6 +3761,12 @@ RetryLookup:; vm_map_unlock_read(map); return (KERN_PROTECTION_FAILURE); } + if ((fault_typea & VM_PROT_COPY) != 0 && + (entry->max_protection & VM_PROT_WRITE) == 0 && + (entry->eflags & MAP_ENTRY_COW) == 0) { + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } /* * If this page is not pageable, we have to get it for all possible -- 2.42.0