From 479929b06ce75dff43f738f4ddd06dee20b045d0 Mon Sep 17 00:00:00 2001 From: int16 Date: Wed, 9 Mar 2022 22:37:23 +1100 Subject: [PATCH] Kernel: Check wxallowed mount flag when validating mmap call --- Kernel/Syscalls/mmap.cpp | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Kernel/Syscalls/mmap.cpp b/Kernel/Syscalls/mmap.cpp index cfe775c20ca..45527868aed 100644 --- a/Kernel/Syscalls/mmap.cpp +++ b/Kernel/Syscalls/mmap.cpp @@ -69,7 +69,7 @@ static bool should_make_executable_exception_for_dynamic_loader(bool make_readab return true; } -static bool validate_mmap_prot(int prot, bool map_stack, bool map_anonymous, Memory::Region const* region = nullptr) +static bool validate_mmap_prot(const Process& process, int prot, bool map_stack, bool map_anonymous, Memory::Region const* region = nullptr) { bool make_readable = prot & PROT_READ; bool make_writable = prot & PROT_WRITE; @@ -78,10 +78,13 @@ static bool validate_mmap_prot(int prot, bool map_stack, bool map_anonymous, Mem if (map_anonymous && make_executable) return false; - if (make_writable && make_executable) + if (map_stack && make_executable) return false; - if (map_stack && make_executable) + if (executable()->mount_flags() & MS_WXALLOWED) + return true; + + if (make_writable && make_executable) return false; if (region) { @@ -177,7 +180,7 @@ ErrorOr Process::sys$mmap(Userspace use if ((map_fixed || map_fixed_noreplace) && map_randomized) return EINVAL; - if (!validate_mmap_prot(prot, map_stack, map_anonymous)) + if (!validate_mmap_prot(*this, prot, map_stack, map_anonymous)) return EINVAL; if (map_stack && (!map_private || !map_anonymous)) @@ -270,7 +273,7 @@ ErrorOr Process::sys$mprotect(Userspace addr, size_t size, int p if (auto* whole_region = address_space().find_region_from_range(range_to_mprotect)) { if (!whole_region->is_mmap()) return EPERM; - if (!validate_mmap_prot(prot, whole_region->is_stack(), whole_region->vmobject().is_anonymous(), whole_region)) + if (!validate_mmap_prot(*this, prot, whole_region->is_stack(), whole_region->vmobject().is_anonymous(), whole_region)) return EINVAL; if (whole_region->access() == Memory::prot_to_region_access_flags(prot)) return 0; @@ -290,7 +293,7 @@ ErrorOr Process::sys$mprotect(Userspace addr, size_t size, int p if (auto* old_region = address_space().find_region_containing(range_to_mprotect)) { if (!old_region->is_mmap()) return EPERM; - if (!validate_mmap_prot(prot, old_region->is_stack(), old_region->vmobject().is_anonymous(), old_region)) + if (!validate_mmap_prot(*this, prot, old_region->is_stack(), old_region->vmobject().is_anonymous(), old_region)) return EINVAL; if (old_region->access() == Memory::prot_to_region_access_flags(prot)) return 0; @@ -330,7 +333,7 @@ ErrorOr Process::sys$mprotect(Userspace addr, size_t size, int p for (const auto* region : regions) { if (!region->is_mmap()) return EPERM; - if (!validate_mmap_prot(prot, region->is_stack(), region->vmobject().is_anonymous(), region)) + if (!validate_mmap_prot(*this, prot, region->is_stack(), region->vmobject().is_anonymous(), region)) return EINVAL; if (region->vmobject().is_inode() && !validate_inode_mmap_prot(*this, prot, static_cast(region->vmobject()).inode(), region->is_shared())) {