lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Fri, 21 Nov 2014 22:40:16 -0500
From:	Rik van Riel <>
To:	Davidlohr Bueso <>
CC:	Andrew Morton <>,,
	Manfred Spraul <>,
	Rafael Aquini <>
Subject: Re: [PATCH] ipc,sem block sem_lock on sma->lock during sma initialization

Hash: SHA1

On 11/21/2014 07:56 PM, Davidlohr Bueso wrote:
> On Fri, 2014-11-21 at 18:03 -0500, Rik van Riel wrote:

>> In other words, if you try to use a semaphore array before getsem
>> returns, you can oops the task that calls semop.
> This seems bogus from an application level: how can you call semop
> if you don't have the semid yet returned from semget? And the fact
> that the race is with newary, means that the call is in fact
> creating a *new* set, as opposed to plugging into an already
> existing set.

Agreed, this is bogus from userspace.

However, userspace doing bogus things should not lead to a
kernel crash.

> The fix in newary() being before the actual creation of the id
> seems even stranger:
> sma->complex_count = 1; id = ipc_addid(&sem_ids(ns),
> &sma->sem_perm, ns->sc_semmni);
> As for semtimedop() before even getting to sem_lock(), we first
> call:
> sma = sem_obtain_object_check(ns, semid);
> So shouldn't that fail anyway before we even consider acquiring the
> lock?

newary initializes a bunch of things after the call to
ipc_addid, however some things are initialized inside
ipc_addid as well

Looking closer at newary, I suppose that it should be
possible to move those other initializations before
the call to ipc_addid.  That would likely get rid of
the problem, too.

However, I also see this line in newary, and I have
no idea what protects that data:

        ns->used_sems += nsems;

I don't see any locking around ns->used_sems for
simultaneous getsem & RMID...

- -- 
All rights reversed
Version: GnuPG v1

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists