Commit 2ce9804f authored Mar 25, 2006 by Nicolas Pitre Committed by Russell King Mar 25, 2006

[ARM] 3030/2: fix permission check in the obscur cmpxchg syscall



Patch from Nicolas Pitre

Quoting RMK:

|pte_write() just says that the page _may_ be writable. It doesn't say
|that the MMU is programmed to allow writes. If pte_dirty() doesn't
|return true, that means that the page is _not_ writable from userspace.
|If you write to it from kernel mode (without using put_user) you'll
|bypass the MMU read-only protection and may end up writing to a page
|owned by two separate processes.

Signed-off-by: Nicolas Pitre <nico@cam.org>
Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>

parent 0003cedf

arch/arm/kernel/traps.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -506,7 +506,7 @@ asmlinkage int arm_syscall(int no, struct pt_regs *regs)
	if (!pmd_present(*pmd))		if (!pmd_present(*pmd))
	goto bad_access;		goto bad_access;
	pte = pte_offset_map_lock(mm, pmd, addr, &ptl);		pte = pte_offset_map_lock(mm, pmd, addr, &ptl);
	if (!pte_present(pte) \|\| !pte_write(pte)) {		if (!pte_present(pte) \|\| !pte_dirty(pte)) {
	pte_unmap_unlock(pte, ptl);		pte_unmap_unlock(pte, ptl);
	goto bad_access;		goto bad_access;
	}		}

Admin message