On Tue, Nov 04, 2008 at 02:26:33PM +0000, Ian Campbell wrote: > On Tue, 2008-11-04 at 14:02 +0100, Bastian Blank wrote: > > Maybe its the best to remove the workaround and instead cripple mprotect > > to not allow PROT_NONE for now. And then hope that this can't be > > triggered by mmap with PROT_NONE. > I was thinking of going down the path of removing the workaround then > fixing mprotect, so your suggestion would be a consistant first step I > think.
Unchecked patch attached. It disallows changes from and to PROT_NONE.
Bastian
--
It is a human characteristic to love little animals, especially if
they're attractive in some way.
-- McCoy, "The Trouble with Tribbles", stardate 4525.6
diff --git a/mm/mprotect.c b/mm/mprotect.c
index e943715..24b4cfd 100644
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -244,6 +244,14 @@ sys_mprotect(unsigned long start, size_t len, unsigned
long prot)
if (prot & ~(PROT_READ | PROT_WRITE | PROT_EXEC | PROT_SEM))
return -EINVAL;
+#ifdef CONFIG_XEN
+ /*
+ * XXX: Disallow change to PROT_NONE.
+ */
+ if (!(prot & (PROT_READ | PROT_WRITE | PROT_EXEC)))
+ return -EACCES;
+#endif
+
reqprot = prot;
/*
* Does the application expect PROT_READ to imply PROT_EXEC:
@@ -285,6 +293,16 @@ sys_mprotect(unsigned long start, size_t len, unsigned
long prot)
/* Here we know that vma->vm_start <= nstart < vma->vm_end. */
+#ifdef CONFIG_XEN
+ /*
+ * XXX: Disallow change from PROT_NONE.
+ */
+ if (!(vma->vm_flags & (VM_READ | VM_WRITE | VM_EXEC))) {
+ error = -EACCES;
+ goto out;
+ }
+#endif
+
newflags = vm_flags | (vma->vm_flags & ~(VM_READ | VM_WRITE |
VM_EXEC));
/* newflags >> 4 shift VM_MAY% in place of VM_% */
signature.asc
Description: Digital signature
