From owner-svn-src-all@FreeBSD.ORG Tue Jun 18 07:05:52 2013 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6FF93240; Tue, 18 Jun 2013 07:05:52 +0000 (UTC) (envelope-from des@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 447B41C96; Tue, 18 Jun 2013 07:05:52 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.7/8.14.7) with ESMTP id r5I75qO2034906; Tue, 18 Jun 2013 07:05:52 GMT (envelope-from des@svn.freebsd.org) Received: (from des@localhost) by svn.freebsd.org (8.14.7/8.14.5/Submit) id r5I75pS4034903; Tue, 18 Jun 2013 07:05:51 GMT (envelope-from des@svn.freebsd.org) Message-Id: <201306180705.r5I75pS4034903@svn.freebsd.org> From: Dag-Erling Smørgrav Date: Tue, 18 Jun 2013 07:05:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r251903 - in releng/9.1: . sys/conf sys/vm X-SVN-Group: releng MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jun 2013 07:05:52 -0000 Author: des Date: Tue Jun 18 07:05:51 2013 New Revision: 251903 URL: http://svnweb.freebsd.org/changeset/base/251903 Log: Fix a bug that allowed a tracing process (e.g. gdb) to write to a memory-mapped file in the traced process's address space even if neither the traced process nor the tracing process had write access to that file. Security: CVE-2013-2171 Security: FreeBSD-SA-13:06.mmap Approved by: so Modified: releng/9.1/UPDATING releng/9.1/sys/conf/newvers.sh releng/9.1/sys/vm/vm_map.c Modified: releng/9.1/UPDATING ============================================================================== --- releng/9.1/UPDATING Tue Jun 18 07:04:19 2013 (r251902) +++ releng/9.1/UPDATING Tue Jun 18 07:05:51 2013 (r251903) @@ -9,6 +9,12 @@ handbook. Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20130618: p4 FreeBSD-SA-13:06.mmap + Fix a bug that allowed a tracing process (e.g. gdb) to write + to a memory-mapped file in the traced process's address space + even if neither the traced process nor the tracing process had + write access to that file. + 20130429: p3 FreeBSD-SA-13:05.nfsserver Fix a bug that allows NFS clients to issue READDIR on files. Modified: releng/9.1/sys/conf/newvers.sh ============================================================================== --- releng/9.1/sys/conf/newvers.sh Tue Jun 18 07:04:19 2013 (r251902) +++ releng/9.1/sys/conf/newvers.sh Tue Jun 18 07:05:51 2013 (r251903) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="9.1" -BRANCH="RELEASE-p3" +BRANCH="RELEASE-p4" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/9.1/sys/vm/vm_map.c ============================================================================== --- releng/9.1/sys/vm/vm_map.c Tue Jun 18 07:04:19 2013 (r251902) +++ releng/9.1/sys/vm/vm_map.c Tue Jun 18 07:05:51 2013 (r251903) @@ -3761,6 +3761,12 @@ RetryLookup:; vm_map_unlock_read(map); return (KERN_PROTECTION_FAILURE); } + if ((fault_typea & VM_PROT_COPY) != 0 && + (entry->max_protection & VM_PROT_WRITE) == 0 && + (entry->eflags & MAP_ENTRY_COW) == 0) { + vm_map_unlock_read(map); + return (KERN_PROTECTION_FAILURE); + } /* * If this page is not pageable, we have to get it for all possible