On Thu, Dec 3, 2015 at 5:45 PM, yalin wang <yalin.wang2...@gmail.com> wrote: > >> On Dec 2, 2015, at 16:03, Kees Cook <keesc...@chromium.org> wrote: >> >> Normally, when a user can modify a file that has setuid or setgid bits, >> those bits are cleared when they are not the file owner or a member >> of the group. This is enforced when using write and truncate but not >> when writing to a shared mmap on the file. This could allow the file >> writer to gain privileges by changing a binary without losing the >> setuid/setgid/caps bits. >> >> Changing the bits requires holding inode->i_mutex, so it cannot be done >> during the page fault (due to mmap_sem being held during the fault). >> Instead, clear the bits if PROT_WRITE is being used at mmap time. >> >> Signed-off-by: Kees Cook <keesc...@chromium.org> >> Cc: sta...@vger.kernel.org >> — > > is this means mprotect() sys call also need add this check? > mprotect() can change to PROT_WRITE, then it can write to a > read only map again , also a secure hole here .
Yes, good point. This needs to be added. I will send a new patch. Thanks! -Kees -- Kees Cook Chrome OS & Brillo Security -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/