diff options
| author | Sergey Bugaev <bugaevc@gmail.com> | 2021-05-23 01:41:12 +0200 |
|---|---|---|
| committer | Samuel Thibault <samuel.thibault@ens-lyon.org> | 2021-05-24 14:54:05 +0200 |
| commit | 08dac1991732db78ce85af228c7a7ae3e7438b35 (patch) | |
| tree | eede830c8c7024c7a8d3ad089a953cc9edfb8f63 | |
| parent | 34ffcb1893ee724d17671b7c388394fb646821bd (diff) | |
| download | gnumach-08dac1991732db78ce85af228c7a7ae3e7438b35.tar.gz gnumach-08dac1991732db78ce85af228c7a7ae3e7438b35.tar.bz2 gnumach-08dac1991732db78ce85af228c7a7ae3e7438b35.zip | |
vm_map: Fix proxy object protection check
* If not making a copy, don't cap protection to the limit enforced
by the proxy, and only require read access. This fixes mapping
parts of read-only files MAP_ANON + PROT_READ|PROT_WRITE.
* Instead of silently capping protection, return KERN_PROTECTION_FAILURE
to the caller like the other vm_*() routines do.
| -rw-r--r-- | vm/vm_user.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/vm/vm_user.c b/vm/vm_user.c index 4d5728c8..4f89f890 100644 --- a/vm/vm_user.c +++ b/vm/vm_user.c @@ -357,9 +357,18 @@ kern_return_t vm_map( /* Really no luck */ return result; - /* Reduce the allowed access to the memory object. */ - max_protection &= prot; - cur_protection &= prot; + if (!copy) + { + /* Disallow protection beyond proxy's own limits. */ + if ((cur_protection & ~prot) || (max_protection & ~prot)) + return KERN_PROTECTION_FAILURE; + } + else + { + /* Disallow making a copy unless the proxy allows reading. */ + if (!(prot & VM_PROT_READ)) + return KERN_PROTECTION_FAILURE; + } if ((object = vm_object_enter(real_memobj, size, FALSE)) == VM_OBJECT_NULL) |