• Hugh Dickins's avatar
    [PATCH] shmat: stop mprotect from giving write permission to a readonly attachment (CVE-2006-1524) · b78b6af6
    Hugh Dickins authored
    I found that all of 2.4 and 2.6 have been letting mprotect give write
    permission to a readonly attachment of shared memory, whether or not IPC
    would give the caller that permission.
    
    SUS says "The behaviour of this function [mprotect] is unspecified if the
    mapping was not established by a call to mmap", but I don't think we can
    interpret that as allowing it to subvert IPC permissions.
    
    I haven't tried 2.2, but the 2.2.26 source looks like it gets it right; and
    the patch below reproduces that behaviour - mprotect cannot be used to add
    write permission to a shared memory segment attached readonly.
    
    This patch is simple, and I'm sure it's what we should have done in 2.4.0:
    if you want to go on to switch write permission on and off with mprotect,
    just don't attach the segment readonly in the first place.
    
    However, we could have accumulated apps which attach readonly (even though
    they would be permitted to attach read/write), and which subsequently use
    mprotect to switch write permission on and off: it's not unreasonable.
    
    I was going to add a second ipcperms check in do_shmat, to check for
    writable when readonly, and if not writable find_vma and clear VM_MAYWRITE.
     But security_ipc_permission might do auditing, and it seems wrong to
    report an attempt for write permission when there has been none.  Or we
    could flag the vma as SHM, note the shmid or shp in vm_private_data, and
    then get mprotect to check.
    
    But the patch below is a lot simpler: I'd rather stick with it, if we can
    convince ourselves somehow that it'll be safe.
    Signed-off-by: default avatarHugh Dickins <hugh@veritas.com>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
    b78b6af6
shm.c 21.4 KB