summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSergey Bugaev <bugaevc@gmail.com>2021-05-23 01:41:12 +0200
committerSamuel Thibault <samuel.thibault@ens-lyon.org>2021-05-24 14:54:05 +0200
commit08dac1991732db78ce85af228c7a7ae3e7438b35 (patch)
treeeede830c8c7024c7a8d3ad089a953cc9edfb8f63
parent34ffcb1893ee724d17671b7c388394fb646821bd (diff)
vm_map: Fix proxy object protection check
* If not making a copy, don't cap protection to the limit enforced by the proxy, and only require read access. This fixes mapping parts of read-only files MAP_ANON + PROT_READ|PROT_WRITE. * Instead of silently capping protection, return KERN_PROTECTION_FAILURE to the caller like the other vm_*() routines do.
-rw-r--r--vm/vm_user.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/vm/vm_user.c b/vm/vm_user.c
index 4d5728c8..4f89f890 100644
--- a/vm/vm_user.c
+++ b/vm/vm_user.c
@@ -357,9 +357,18 @@ kern_return_t vm_map(
/* Really no luck */
return result;
- /* Reduce the allowed access to the memory object. */
- max_protection &= prot;
- cur_protection &= prot;
+ if (!copy)
+ {
+ /* Disallow protection beyond proxy's own limits. */
+ if ((cur_protection & ~prot) || (max_protection & ~prot))
+ return KERN_PROTECTION_FAILURE;
+ }
+ else
+ {
+ /* Disallow making a copy unless the proxy allows reading. */
+ if (!(prot & VM_PROT_READ))
+ return KERN_PROTECTION_FAILURE;
+ }
if ((object = vm_object_enter(real_memobj, size, FALSE))
== VM_OBJECT_NULL)