From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kees Cook Subject: [PATCH] fs: clear file set[ug]id when writing via mmap Date: Thu, 19 Nov 2015 16:10:43 -0800 Message-ID: <20151120001043.GA28204@www.outflux.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Return-path: Content-Disposition: inline Sender: linux-fsdevel-owner@vger.kernel.org Cc: Andrew Morton , Dave Chinner , Andy Lutomirski , Jan Kara , "Kirill A. Shutemov" , Mel Gorman , Johannes Weiner , Rik van Riel , Matthew Wilcox , Shachar Raindel , Boaz Harrosh , Michal Hocko , Haggai Eran , Theodore Tso , Willy Tarreau , Dirk Steinmetz , Michael Kerrisk-manpages , Serge Hallyn , Seth Forshee , Alexander Viro , Linux FS Devel , LKML , "Eric W . Biederman" List-Id: linux-mm.kvack.org Normally, when a user can modify a file that has setuid or setgid bits, those bits are cleared when they are not the file owner or a member of the group. This is enforced when using write() directly but not when writing to a shared mmap on the file. This could allow the file writer to gain privileges by changing the binary without losing the setuid/setgid bits. Signed-off-by: Kees Cook Cc: stable@vger.kernel.org --- mm/memory.c | 1 + 1 file changed, 1 insertion(+) diff --git a/mm/memory.c b/mm/memory.c index deb679c31f2a..4c970a4e0057 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2036,6 +2036,7 @@ static inline int wp_page_reuse(struct mm_struct *mm, if (!page_mkwrite) file_update_time(vma->vm_file); + file_remove_privs(vma->vm_file); } return VM_FAULT_WRITE; -- 1.9.1 -- Kees Cook Chrome OS Security