From 08dac1991732db78ce85af228c7a7ae3e7438b35 Mon Sep 17 00:00:00 2001
From: Sergey Bugaev <bugaevc@gmail.com>
Date: Sun, 23 May 2021 01:41:12 +0200
Subject: vm_map: Fix proxy object protection check

* If not making a copy, don't cap protection to the limit enforced
  by the proxy, and only require read access. This fixes mapping
  parts of read-only files MAP_ANON + PROT_READ|PROT_WRITE.

* Instead of silently capping protection, return KERN_PROTECTION_FAILURE
  to the caller like the other vm_*() routines do.
---
 vm/vm_user.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/vm/vm_user.c b/vm/vm_user.c
index 4d5728c8..4f89f890 100644
--- a/vm/vm_user.c
+++ b/vm/vm_user.c
@@ -357,9 +357,18 @@ kern_return_t vm_map(
 	      /* Really no luck */
 	      return result;
 
-	    /* Reduce the allowed access to the memory object.  */
-	    max_protection &= prot;
-	    cur_protection &= prot;
+           if (!copy)
+             {
+               /* Disallow protection beyond proxy's own limits.  */
+               if ((cur_protection & ~prot) || (max_protection & ~prot))
+                 return KERN_PROTECTION_FAILURE;
+             }
+           else
+             {
+               /* Disallow making a copy unless the proxy allows reading.  */
+               if (!(prot & VM_PROT_READ))
+                 return KERN_PROTECTION_FAILURE;
+             }
 
 	    if ((object = vm_object_enter(real_memobj, size, FALSE))
 		== VM_OBJECT_NULL)
-- 
cgit v1.2.3