Correct a security bug in copyuvm()

copyuvm() should not allow new copied pages to inherit more
permissions than the original pages.

diff --git a/mmu.h b/mmu.h
index 5c9ab600763caa7891403e19372b5df89ce3bef9..685f51dc3ac07118bef97c5e6cdfeffdf5122ecc 100644 (file)
--- a/mmu.h
+++ b/mmu.h
@@ -142,6 +142,7 @@ struct segdesc {
 
 // Address in page table or page directory entry
 #define PTE_ADDR(pte)   ((uint)(pte) & ~0xFFF)
+#define PTE_FLAGS(pte)  ((uint)(pte) &  0xFFF)
 
 #ifndef __ASSEMBLER__
 typedef uint pte_t;

diff --git a/vm.c b/vm.c
index dde56b7ba85c53454688e28f306e51ee4b090e36..4cffb58a59253e0908a22def6dcfa52778914f18 100644 (file)
--- a/vm.c
+++ b/vm.c
@@ -311,7 +311,7 @@ copyuvm(pde_t *pgdir, uint sz)
 {
   pde_t *d;
   pte_t *pte;
-  uint pa, i;
+  uint pa, i, flags;
   char *mem;
 
   if((d = setupkvm()) == 0)
@@ -322,10 +322,11 @@ copyuvm(pde_t *pgdir, uint sz)
     if(!(*pte & PTE_P))
       panic("copyuvm: page not present");
     pa = PTE_ADDR(*pte);
+    flags = PTE_FLAGS(*pte);
     if((mem = kalloc()) == 0)
       goto bad;
     memmove(mem, (char*)p2v(pa), PGSIZE);
-    if(mappages(d, (void*)i, PGSIZE, v2p(mem), PTE_W|PTE_U) < 0)
+    if(mappages(d, (void*)i, PGSIZE, v2p(mem), flags) < 0)
       goto bad;
   }
   return d;