when mmapping a file, permissions are checked as it should be. When
mprotect()-ing the address range afterwards, no protection was checked
regarding the protection of the file originally opened. So
when you open /usr/bin/su RDONLY and SHARED you could afterwards change
the mmapped region to READ|WRITE. This gave the possibility to obtain
root privs obviously.
Here are some fixes I derived from the mach 3.0 VM system a couple of months
ago. At the time, I was giving the memory object routines a good looking
at, trying to fix the long-standing problem where vm_object_collapse()
sometimes fails to collapse objects left over from the exit of a forked
child. As bde has noted, the problem seems to occur when portions of the
parent are paged out. These "lost" memory objects, which can eat up a huge
amount of swap space, are reclaimed when the parent responsible for the
fork()s is killed.
it seems to keep the vm system from deadlocking the system when it runs
out of swap + physical memory.
prevents the system from giving the last page(s) to anything but the
referenced "processes" (especially important is the pager process,
which should never have to wait for a free page).
This patch adds the symbol names to icu.s that vmstat expects
the interrupt counters to be called. It also adds code to config
so that the names of the interrupts are written at the end of vectors.s
so vmstat can report real device names. It also cleans up and enables
the logging of stray interrupts. The counters for false interrupts
are added but the fix for them is not (the fix I have is not done
very good.) A false interrupt is when a device asserts it's interrupt
signal, then removes it before the 8259 can latch it. This is the number
one cause of stray IRQ7's and IRQ15's.
Additional device probe information is now printed. This includes
ending I/O address (many drivers do not return the correct value from a
probe this still needs to be fixed), memory address and size, driver
flags passed in by config.
This patch adds the symbol names to icu.s that vmstat expects
the interrupt counters to be called. It also adds code to config
so that the names of the interrupts are written at the end of vectors.s
so vmstat can report real device names. It also cleans up and enables
the logging of stray interrupts. The counters for false interrupts
are added but the fix for them is not (the fix I have is not done
very good.) A false interrupt is when a device asserts it's interrupt
signal, then removes it before the 8259 can latch it. This is the number
one cause of stray IRQ7's and IRQ15's.
Additional device probe information is now printed. This includes
ending I/O address (many drivers do not return the correct value from a
probe this still needs to be fixed), memory address and size, driver
flags passed in by config.