--- /dev/null
+From akpm@osdl.org Wed Apr 12 14:32:33 2006
+Message-Id: <200604122132.k3CLW1Io021188@shell0.pdx.osdl.net>
+Subject: shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524)
+To: greg@kroah.com
+Cc: chrisw@sous-sol.org, akpm@osdl.org, hugh@veritas.com, stable@kernel.org
+From: akpm@osdl.org
+Date: Wed, 12 Apr 2006 14:34:27 -0700
+
+
+From: Hugh Dickins <hugh@veritas.com>
+
+I found that all of 2.4 and 2.6 have been letting mprotect give write
+permission to a readonly attachment of shared memory, whether or not IPC
+would give the caller that permission.
+
+SUS says "The behaviour of this function [mprotect] is unspecified if the
+mapping was not established by a call to mmap", but I don't think we can
+interpret that as allowing it to subvert IPC permissions.
+
+I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
+the patch below reproduces that behaviour - mprotect cannot be used to add
+write permission to a shared memory segment attached readonly.
+
+This patch is simple, and I'm sure it's what we should have done in 2.4.0:
+if you want to go on to switch write permission on and off with mprotect,
+just don't attach the segment readonly in the first place.
+
+However, we could have accumulated apps which attach readonly (even though
+they would be permitted to attach read/write), and which subsequently use
+mprotect to switch write permission on and off: it's not unreasonable.
+
+I was going to add a second ipcperms check in do_shmat, to check for
+writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
+ But security_ipc_permission might do auditing, and it seems wrong to
+report an attempt for write permission when there has been none. Or we
+could flag the vma as SHM, note the shmid or shp in vm_private_data, and
+then get mprotect to check.
+
+But the patch below is a lot simpler: I'd rather stick with it, if we can
+convince ourselves somehow that it'll be safe.
+
+Signed-off-by: Hugh Dickins <hugh@veritas.com>
+Signed-off-by: Andrew Morton <akpm@osdl.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ ipc/shm.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- linux-2.6.16.5.orig/ipc/shm.c
++++ linux-2.6.16.5/ipc/shm.c
+@@ -161,6 +161,8 @@ static int shm_mmap(struct file * file,
+ ret = shmem_mmap(file, vma);
+ if (ret == 0) {
+ vma->vm_ops = &shm_vm_ops;
++ if (!(vma->vm_flags & VM_WRITE))
++ vma->vm_flags &= ~VM_MAYWRITE;
+ shm_inc(file->f_dentry->d_inode->i_ino);
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
