RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 14:17:36 +00:00
Code Issues Activity Actions

Kernel: Enforce W^X between sys$mmap() and sys$execve()

Browse source 
It's now an error to sys$mmap() a file as writable if it's currently
mapped executable by anyone else.

It's also an error to sys$execve() a file that's currently mapped
writable by anyone else.

This fixes a race condition vulnerability where one program could make
modifications to an executable while another process was in the kernel,
in the middle of exec'ing the same executable.

Test: Kernel/elf-execve-mmap-race.cpp
This commit is contained in:
Andreas Kling 2020-01-18 23:31:29 +01:00
parent 7ea264a660
commit 862b3ccb4e
4 changed files with 183 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

20
Kernel/VM/InodeVMObject.cpp
View file

@ -175,3 +175,23 @@ int InodeVMObject::release_all_clean_pages_impl()
});
return count;
}
u32 InodeVMObject::writable_mappings() const
{
u32 count = 0;
const_cast<InodeVMObject&>(*this).for_each_region([&](auto& region) {
if (region.is_writable())
++count;
});
return count;
}
u32 InodeVMObject::executable_mappings() const
{
u32 count = 0;
const_cast<InodeVMObject&>(*this).for_each_region([&](auto& region) {
if (region.is_executable())
++count;
});
return count;
}