reject attempts to map an immutable or append-only file, shared with

write protection. this stops data corruption where it was possible to change the in-memory copy of an append-only file (but not the on-disk copy). this is documented in NetBSD security advisory 1998-003. thanks to darrenr, lukem, cgd, mycroft and mrg for this.
1998-05-10 12:35:58 +00:00 · 1998-05-10 12:35:58 +00:00 · 6b11eea5b2
commit 6b11eea5b2
parent ff93d40dbb
2 changed files with 37 additions and 7 deletions
--- a/sys/uvm/uvm_mmap.c
+++ b/sys/uvm/uvm_mmap.c
@ -1,4 +1,4 @@
-/*	$NetBSD: uvm_mmap.c,v 1.8 1998/04/01 21:43:52 tv Exp $	*/
+/*	$NetBSD: uvm_mmap.c,v 1.9 1998/05/10 12:35:59 mrg Exp $	*/

 /*
 * XXXCDC: "ROUGH DRAFT" QUALITY UVM PRE-RELEASE FILE!   
@ -64,6 +64,7 @@
 #include <sys/malloc.h>
 #include <sys/vnode.h>
 #include <sys/conf.h>
+#include <sys/stat.h>

 #include <miscfs/specfs/specdev.h>

@ -211,6 +212,7 @@ sys_mmap(p, v, retval)
 		syscallarg(off_t) pos;
 	} */ *uap = v;
 	vm_offset_t addr;
+	struct vattr va;
 	off_t pos;
 	vm_size_t size, pageoff;
 	vm_prot_t prot, maxprot;
@ -354,10 +356,23 @@ sys_mmap(p, v, retval)
 		else if (prot & PROT_READ)
 			return (EACCES);

-		/* check write case (if shared) */
+		/* check write access, shared case first */
 		if (flags & MAP_SHARED) {
-			if (fp->f_flag & FWRITE)
-				maxprot |= VM_PROT_WRITE;
+			/*
+			 * if the file is writable, only add PROT_WRITE to
+			 * maxprot if the file is not immutable, append-only.
+			 * otherwise, if we have asked for PROT_WRITE, return
+			 * EPERM.
+			 */
+			if (fp->f_flag & FWRITE) {
+				if ((error =
+				    VOP_GETATTR(vp, &va, p->p_ucred, p)))
+					return (error);
+				if ((va.va_flags & (IMMUTABLE|APPEND)) == 0)
+					maxprot |= VM_PROT_WRITE;
+				else if (prot & PROT_WRITE)
+					return (EPERM);
+			}
 			else if (prot & PROT_WRITE)
 				return (EACCES);
 		} else {
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@ -1,4 +1,4 @@
-/*	$NetBSD: vm_mmap.c,v 1.56 1998/03/28 16:58:30 kleink Exp $	*/
+/*	$NetBSD: vm_mmap.c,v 1.57 1998/05/10 12:35:58 mrg Exp $	*/

 /*
 * Copyright (c) 1988 University of Utah.
@ -55,6 +55,7 @@
 #include <sys/file.h>
 #include <sys/mman.h>
 #include <sys/conf.h>
+#include <sys/stat.h>

 #include <sys/mount.h>
 #include <sys/syscallargs.h>
@ -130,6 +131,7 @@ sys_mmap(p, v, retval)
 		syscallarg(long) pad;
 		syscallarg(off_t) pos;
 	} */ *uap = v;
+	struct vattr va;
 	register struct filedesc *fdp = p->p_fd;
 	register struct file *fp;
 	struct vnode *vp;
@ -263,8 +265,21 @@ sys_mmap(p, v, retval)
 		else if (prot & PROT_READ)
 			return (EACCES);
 		if (flags & MAP_SHARED) {
-			if (fp->f_flag & FWRITE)
-				maxprot |= VM_PROT_WRITE;
+			/*
+			 * if the file is writable, only add PROT_WRITE to
+			 * maxprot if the file is not immutable, append-only.
+			 * otherwise, if we have asked for PROT_WRITE, return
+			 * EPERM.
+			 */
+			if (fp->f_flag & FWRITE) {
+				if ((error =
+				    VOP_GETATTR(vp, &va, p->p_ucred, p)))
+					return (error);
+				if ((va.va_flags & (IMMUTABLE|APPEND)) == 0)
+					maxprot |= VM_PROT_WRITE;
+				else if (prot & PROT_WRITE)
+					return (EPERM);
+			}
 			else if (prot & PROT_WRITE)
 				return (EACCES);
 		} else