[PATCH v2] mm/mprotect.c: don't imply PROT_EXEC on non-exec fs

From: Piotr Kwapulinski
Date: Wed Jan 27 2016 - 11:30:26 EST

Next message: Daniel Baluta: "Re: [PATCH] iio: adc: Add TI ADS1015 ADC driver support"
Previous message: Vladimir Davydov: "[PATCH] vmpressure: Fix subtree pressure detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The mprotect(PROT_READ) fails when called by the READ_IMPLIES_EXEC binary
on a memory mapped file located on non-exec fs. The mprotect does not
check whether fs is _executable_ or not. The PROT_EXEC flag is set
automatically even if a memory mapped file is located on non-exec fs.
Fix it by checking whether a memory mapped file is located on a non-exec
fs. If so the PROT_EXEC is not implied by the PROT_READ.
The implementation uses the VM_MAYEXEC flag set properly in mmap.
Now it is consistent with mmap.

I did the isolated tests (PT_GNU_STACK X/NX, multiple VMAs, X/NX fs).
I also patched the official 3.19.0-47-generic Ubuntu 14.04 kernel
and it seems to work.

Signed-off-by: Piotr Kwapulinski <kwapulinski.piotr@xxxxxxxxx>
---
The difference between v1 is that the prot variable is reset to
reqprot for each loop iteration (thanks to Konstantin Khlebnikov for
pointing this out).
rier means "(current->personality & [R]EAD_[I]MPLIES_[E]XEC) &&
(prot & PROT_[R]EAD)".

mm/mprotect.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/mm/mprotect.c b/mm/mprotect.c
index 8eb7bb4..1b9597f 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -352,10 +352,12 @@ fail:
SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
unsigned long, prot)
{
- unsigned long vm_flags, nstart, end, tmp, reqprot;
+ unsigned long nstart, end, tmp, reqprot;
struct vm_area_struct *vma, *prev;
int error = -EINVAL;
const int grows = prot & (PROT_GROWSDOWN|PROT_GROWSUP);
+ const bool rier = (current->personality & READ_IMPLIES_EXEC) &&
+ (prot & PROT_READ);
prot &= ~(PROT_GROWSDOWN|PROT_GROWSUP);
if (grows == (PROT_GROWSDOWN|PROT_GROWSUP)) /* can't be both */
return -EINVAL;
@@ -372,13 +374,6 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
return -EINVAL;

reqprot = prot;
- /*
- * Does the application expect PROT_READ to imply PROT_EXEC:
- */
- if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
- prot |= PROT_EXEC;
-
- vm_flags = calc_vm_prot_bits(prot);

down_write(&current->mm->mmap_sem);

@@ -412,7 +407,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,

/* Here we know that vma->vm_start <= nstart < vma->vm_end. */

- newflags = vm_flags;
+ /* Does the application expect PROT_READ to imply PROT_EXEC */
+ if (rier && (vma->vm_flags & VM_MAYEXEC))
+ prot |= PROT_EXEC;
+
+ newflags = calc_vm_prot_bits(prot);
newflags |= (vma->vm_flags & ~(VM_READ | VM_WRITE | VM_EXEC));

/* newflags >> 4 shift VM_MAY% in place of VM_% */
@@ -443,6 +442,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long, start, size_t, len,
error = -ENOMEM;
goto out;
}
+ prot = reqprot;
}
out:
up_write(&current->mm->mmap_sem);
--
2.7.0

Next message: Daniel Baluta: "Re: [PATCH] iio: adc: Add TI ADS1015 ADC driver support"
Previous message: Vladimir Davydov: "[PATCH] vmpressure: Fix subtree pressure detection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]