| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1379300677-24188-3-git-send-email-davidlohr@hp.com>
Date: Sun, 15 Sep 2013 20:04:35 -0700
From: Davidlohr Bueso <davidlohr@...com>
To: Manfred Spraul <manfred@...orfullife.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: Rik van Riel <riel@...hat.com>, Mike Galbraith <efault@....de>,
sedat.dilek@...il.com,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Davidlohr Bueso <davidlohr@...com>
Subject: [PATCH 2/4] ipc,shm: prevent race with rmid in shmat(2)
This fixes a race in shmat() between finding the msq and
actually attaching the segment, as another thread can delete shmid
underneath us if we are preempted before acquiring the kern_ipc_perm.lock.
Reported-by: Manfred Spraul <manfred@...orfullife.com>
Signed-off-by: Davidlohr Bueso <davidlohr@...com>
---
ipc/shm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/ipc/shm.c b/ipc/shm.c
index bc3e897..1afde7e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1093,6 +1093,14 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr,
goto out_unlock;
ipc_lock_object(&shp->shm_perm);
+
+ /* have we raced with RMID? */
+ if (shp->shm_perm.deleted) {
+ err = -EIDRM;
+ ipc_unlock_object(&shp->shm_perm);
+ goto out_unlock;
+ }
+
err = security_shm_shmat(shp, shmaddr, shmflg);
if (err) {
ipc_unlock_object(&shp->shm_perm);
--
1.7.11.7
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists