Page MenuHomeFreeBSD
Differential D24398

Relax restrictions on private mappings of POSIX shm objects.
ClosedPublic
Actions

Authored by markj on Apr 13 2020, 4:50 PM.
Tags
None
Referenced Files
F110289299: D24398.id70510.diff
Sun, Feb 16, 7:38 AM
Unknown Object (File)
Mon, Feb 10, 1:43 AM
Unknown Object (File)
Sun, Jan 26, 1:07 PM
Unknown Object (File)
Dec 27 2024, 4:05 PM
Unknown Object (File)
Nov 18 2024, 7:35 PM
Unknown Object (File)
Nov 3 2024, 5:20 PM
Unknown Object (File)
Nov 1 2024, 4:40 AM
Unknown Object (File)
Oct 29 2024, 2:29 PM
View All 48 Files
Subscribers
imp

Details

Reviewers
kib
kevans
Commits
rS359892: Relax restrictions on private mappings of POSIX shm objects.
Summary

When we create a private mapping of an shm object, VM_PROT_WRITE should
always be included in maxprot regardless of permissions on the
underlying FD. Otherwise it is possible to open a shm object read-only,
map it with MAP_PRIVATE and PROT_WRITE, and violate the invariant in
vm_map_insert() that (prot & maxprot) == prot.

Test Plan

syzkaller generated a program that triggers the aforementioned
assertion failure:
http://syzkaller.backtrace.io:8080/report?id=ba93405590ed607e9b2d65025a44ff60dc6c4bcc

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Revision Contents
Changeset List

PathSize
head/
sys/
kern/
33 lines

Diff 70510

View Options

head/sys/kern/uipc_shm.c

Loading...