On Thu, 19 Nov 2015 16:10:43 -0800 Kees Cook <[email protected]> wrote:
> Normally, when a user can modify a file that has setuid or setgid bits, > those bits are cleared when they are not the file owner or a member of the > group. This is enforced when using write() directly but not when writing > to a shared mmap on the file. This could allow the file writer to gain > privileges by changing the binary without losing the setuid/setgid bits. > > Signed-off-by: Kees Cook <[email protected]> > Cc: [email protected] > --- > mm/memory.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mm/memory.c b/mm/memory.c > index deb679c31f2a..4c970a4e0057 100644 > --- a/mm/memory.c > +++ b/mm/memory.c > @@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm, > > if (!page_mkwrite) > file_update_time(vma->vm_file); > + file_remove_privs(vma->vm_file); > } > > return VM_FAULT_WRITE; file_remove_privs() is depressingly heavyweight. You'd think there was some more lightweight way of caching the fact that we've already done this. Dumb question: can we run file_remove_privs() once, when the file is opened writably, rather than for each and every write into each page? Also, the proposed patch drops the file_remove_privs() return value on the floor and we just go ahead with the modification. How come? -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
