Correct a security bug in copyuvm()

copyuvm() should not allow new copied pages to inherit more
permissions than the original pages.
This commit is contained in:
Stephen Tu 2013-03-04 16:16:54 -05:00 committed by Austin Clements
parent 241c068066
commit ff2783442e
2 changed files with 4 additions and 2 deletions

1
mmu.h
View file

@ -142,6 +142,7 @@ struct segdesc {
// Address in page table or page directory entry // Address in page table or page directory entry
#define PTE_ADDR(pte) ((uint)(pte) & ~0xFFF) #define PTE_ADDR(pte) ((uint)(pte) & ~0xFFF)
#define PTE_FLAGS(pte) ((uint)(pte) & 0xFFF)
#ifndef __ASSEMBLER__ #ifndef __ASSEMBLER__
typedef uint pte_t; typedef uint pte_t;

5
vm.c
View file

@ -311,7 +311,7 @@ copyuvm(pde_t *pgdir, uint sz)
{ {
pde_t *d; pde_t *d;
pte_t *pte; pte_t *pte;
uint pa, i; uint pa, i, flags;
char *mem; char *mem;
if((d = setupkvm()) == 0) if((d = setupkvm()) == 0)
@ -322,10 +322,11 @@ copyuvm(pde_t *pgdir, uint sz)
if(!(*pte & PTE_P)) if(!(*pte & PTE_P))
panic("copyuvm: page not present"); panic("copyuvm: page not present");
pa = PTE_ADDR(*pte); pa = PTE_ADDR(*pte);
flags = PTE_FLAGS(*pte);
if((mem = kalloc()) == 0) if((mem = kalloc()) == 0)
goto bad; goto bad;
memmove(mem, (char*)p2v(pa), PGSIZE); memmove(mem, (char*)p2v(pa), PGSIZE);
if(mappages(d, (void*)i, PGSIZE, v2p(mem), PTE_W|PTE_U) < 0) if(mappages(d, (void*)i, PGSIZE, v2p(mem), flags) < 0)
goto bad; goto bad;
} }
return d; return d;