lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <1416617795.17594.14.camel@linux-t7sj.site>
Date:	Fri, 21 Nov 2014 16:56:35 -0800
From:	Davidlohr Bueso <dave@...olabs.net>
To:	Rik van Riel <riel@...hat.com>
Cc:	Andrew Morton <akpm@...ux-foundation.org>,
	linux-kernel@...r.kernel.org,
	Manfred Spraul <manfred@...orfullife.com>,
	Rafael Aquini <aquini@...hat.com>
Subject: Re: [PATCH] ipc,sem block sem_lock on sma->lock during sma
 initialization

On Fri, 2014-11-21 at 18:03 -0500, Rik van Riel wrote:
> On 11/21/2014 03:42 PM, Andrew Morton wrote:
> > On Fri, 21 Nov 2014 15:29:27 -0500 Rik van Riel <riel@...hat.com>
> > wrote:
> > 
> >> On 11/21/2014 03:09 PM, Andrew Morton wrote:
> >>> On Fri, 21 Nov 2014 14:52:26 -0500 Rik van Riel
> >>> <riel@...hat.com> wrote:
> >>> 
> >>>> When manipulating just one semaphore with semop, sem_lock
> >>>> only takes that single semaphore's lock. This creates a
> >>>> problem during initialization of the semaphore array, when
> >>>> the data structures used by sem_lock have not been set up
> >>>> yet. The sma->lock is already held by newary, and we just
> >>>> have to make sure everything else waits on that lock during
> >>>> initialization.
> >>>> 
> >>>> Luckily it is easy to make sem_lock wait on the sma->lock,
> >>>> by pretending there is a complex operation in progress while
> >>>> the sma is being initialized.
> >>>> 
> >>>> The newary function already zeroes sma->complex_count before 
> >>>> unlocking the sma->lock.
> >>> 
> >>> What are the runtime effects of the bug?
> >>> 
> >> 
> >> NULL pointer dereference in spin_lock from sem_lock, if it is
> >> called before sma->sem_base has been pointed somewhere valid.
> > 
> > Help us out here.  People need to use this description to work out 
> > which kernel versions need the patch and whether to backport the
> > fix into their various kernels.  Other people will be starting at
> > this changelog wondering "will this fix the bug my customer has
> > reported".
> > 
> > Is there some bug report people can look at?

This would be nice for the changelog...

> > 
> > What userspace actions trigger this bug?
> 
> The reason the bug took almost two years to get noticed is that
> it takes one task doing a semop on a semaphore in an array that
> is still getting instantiated by newary (getsem) from another
> task.
> 
> In other words, if you try to use a semaphore array before
> getsem returns, you can oops the task that calls semop.

This seems bogus from an application level: how can you call semop if
you don't have the semid yet returned from semget? And the fact that the
race is with newary, means that the call is in fact creating a *new*
set, as opposed to plugging into an already existing set.

The fix in newary() being before the actual creation of the id seems
even stranger:

	sma->complex_count = 1;
	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);

As for semtimedop() before even getting to sem_lock(), we first call:

	sma = sem_obtain_object_check(ns, semid);

So shouldn't that fail anyway before we even consider acquiring the lock?

Thanks,
Davidlohr

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ