lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 23 Nov 2014 19:23:53 +0100
From:	Manfred Spraul <manfred@...orfullife.com>
To:	Rik van Riel <riel@...hat.com>, linux-kernel@...r.kernel.org
CC:	Andrew Morton <akpm@...ux-foundation.org>,
	Davidlohr Bueso <davidlohr@...com>,
	Rafael Aquini <aquini@...hat.com>, 1vier1@....de
Subject: Re: [PATCH] ipc,sem block sem_lock on sma->lock during sma initialization

Hi Rik,

On 11/21/2014 08:52 PM, Rik van Riel wrote:
> When manipulating just one semaphore with semop, sem_lock only takes that
> single semaphore's lock. This creates a problem during initialization of
> the semaphore array, when the data structures used by sem_lock have not
> been set up yet. The sma->lock is already held by newary, and we just
> have to make sure everything else waits on that lock during initialization.
>
> Luckily it is easy to make sem_lock wait on the sma->lock, by pretending
> there is a complex operation in progress while the sma is being initialized.
That's not sufficient, as sma->sem_nsems is accessed before calling 
sem_lock(), both within find_alloc_undo() and within semtimedop().

The root problem is that sma->sem_nsems and sma->sem_base are accessed 
without any locks, this conflicts with the approach that sma starts to 
exist as not yet initialized but locked and is unlocked after the 
initialization is completed.

Attached is an idea. It did pass a few short tests.
What do you think?

With regards to affected kernels:
- wrong -EFBIG are possible since 3.10 (test for sma->sem_nsems moved 
before taking the lock)
- kernel memory corruptions with 0-sized undo buffer allocation is 
possible since 3.10, too.
   (sem_lock before accessing sma->sem_nsems replaced with 
sem_obtain_object_check).


--
     Manfred

View attachment "0001-ipc-sem.c-Fully-initialize-sem_array-before-making-i.patch" of type "text/x-patch" (1643 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ