summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStephen Tu <[email protected]>2013-03-04 16:16:54 -0500
committerAustin Clements <[email protected]>2013-03-04 16:16:54 -0500
commitff2783442ea2801a4bf6c76f198f36a6e985e7dd (patch)
treea7f1ac2325465a23c274f1e531ac3b2db376f0d3
parent241c068066c51e9e06adf6d45834b97a50d029cf (diff)
downloadxv6-labs-ff2783442ea2801a4bf6c76f198f36a6e985e7dd.tar.gz
xv6-labs-ff2783442ea2801a4bf6c76f198f36a6e985e7dd.tar.bz2
xv6-labs-ff2783442ea2801a4bf6c76f198f36a6e985e7dd.zip
Correct a security bug in copyuvm()
copyuvm() should not allow new copied pages to inherit more permissions than the original pages.
-rw-r--r--mmu.h1
-rw-r--r--vm.c5
2 files changed, 4 insertions, 2 deletions
diff --git a/mmu.h b/mmu.h
index 5c9ab60..685f51d 100644
--- a/mmu.h
+++ b/mmu.h
@@ -142,6 +142,7 @@ struct segdesc {
// Address in page table or page directory entry
#define PTE_ADDR(pte) ((uint)(pte) & ~0xFFF)
+#define PTE_FLAGS(pte) ((uint)(pte) & 0xFFF)
#ifndef __ASSEMBLER__
typedef uint pte_t;
diff --git a/vm.c b/vm.c
index dde56b7..4cffb58 100644
--- a/vm.c
+++ b/vm.c
@@ -311,7 +311,7 @@ copyuvm(pde_t *pgdir, uint sz)
{
pde_t *d;
pte_t *pte;
- uint pa, i;
+ uint pa, i, flags;
char *mem;
if((d = setupkvm()) == 0)
@@ -322,10 +322,11 @@ copyuvm(pde_t *pgdir, uint sz)
if(!(*pte & PTE_P))
panic("copyuvm: page not present");
pa = PTE_ADDR(*pte);
+ flags = PTE_FLAGS(*pte);
if((mem = kalloc()) == 0)
goto bad;
memmove(mem, (char*)p2v(pa), PGSIZE);
- if(mappages(d, (void*)i, PGSIZE, v2p(mem), PTE_W|PTE_U) < 0)
+ if(mappages(d, (void*)i, PGSIZE, v2p(mem), flags) < 0)
goto bad;
}
return d;