Subject: Re: mmap() bug
To: Ted Lemon <>
From: Dave Huang <>
List: current-users
Date: 03/13/1998 15:43:10
On Fri, 13 Mar 1998, Ted Lemon wrote:
> This is fixed in 1.3.1 and -current.

Perhaps announcements of security bugfixes should be sent to
tech-security? Or somewhere, at least... I didn't see any mention of the
fix on current-users, and I don't think it was even mentioned on
source-changes (assuming the fix was in vm_mmap.c, v1.55, committed on
March 3): 

Modified Files:
Log Message:
As in UVM, automatically convert MAP_PRIVATE device mappings to MAP_SHARED.

That log message doesn't just leap out and say "fixes problem where
read-only device mappings were writable." And actually, when looking at
the text of the security advisory, it makes it look like the change is
_introducing_ the bug: 

> 4.4BSD does not perform this access check when the mapping is not shared;
> a process with a private mapping cannot modify the original file, so the
> potential for danger is minimized. Unfortunately, the 4.4BSD VM system
> automatically changes any private mapping of a character device to
> "shared", regardless of the flags passed to mmap(), after the access check
> is performed.
Name: Dave Huang     |   Mammal, mammal / their names are called /
INet:   |   they raise a paw / the bat, the cat /
FurryMUCK: Dahan     |   dolphin and dog / koala bear and hog -- TMBG
Dahan: Hani G Y+C 22 Y++ L+++ W- C++ T++ A+ E+ S++ V++ F- Q+++ P+ B+ PA+ PL++