xv6

commit ff2783442ea2801a4bf6c76f198f36a6e985e7dd
parent 241c068066c51e9e06adf6d45834b97a50d029cf
Author: Stephen Tu <stephentu@csail.mit.edu>
Date:   Mon,  4 Mar 2013 16:16:54 -0500

Correct a security bug in copyuvm()

copyuvm() should not allow new copied pages to inherit more
permissions than the original pages.

Diffstat:
M
mmu.h
 | 
1
+
M
vm.c
 | 
5
+++--

2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/mmu.h b/mmu.h
@@ -142,6 +142,7 @@ struct segdesc {
 
 // Address in page table or page directory entry
 #define PTE_ADDR(pte)   ((uint)(pte) & ~0xFFF)
+#define PTE_FLAGS(pte)  ((uint)(pte) &  0xFFF)
 
 #ifndef __ASSEMBLER__
 typedef uint pte_t;
diff --git a/vm.c b/vm.c
@@ -311,7 +311,7 @@ copyuvm(pde_t *pgdir, uint sz)
 {
   pde_t *d;
   pte_t *pte;
-  uint pa, i;
+  uint pa, i, flags;
   char *mem;
 
   if((d = setupkvm()) == 0)
@@ -322,10 +322,11 @@ copyuvm(pde_t *pgdir, uint sz)
     if(!(*pte & PTE_P))
       panic("copyuvm: page not present");
     pa = PTE_ADDR(*pte);
+    flags = PTE_FLAGS(*pte);
     if((mem = kalloc()) == 0)
       goto bad;
     memmove(mem, (char*)p2v(pa), PGSIZE);
-    if(mappages(d, (void*)i, PGSIZE, v2p(mem), PTE_W|PTE_U) < 0)
+    if(mappages(d, (void*)i, PGSIZE, v2p(mem), flags) < 0)
       goto bad;
   }
   return d;