| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20151012161002.GB3170@linux-uzut.site> Date: Mon, 12 Oct 2015 09:10:02 -0700 From: Davidlohr Bueso <dave@...olabs.net> To: Michael Kerrisk <mtk@...7.org> Cc: linux-kernel@...r.kernel.org, Greg Thelen <gthelen@...gle.com>, Andrew Morton <akpm@...ux-foundation.org> Subject: Re: manpage regarding shmat after deleting a segment On Mon, 12 Oct 2015, Bueso wrote: >Hi Michael, > >We currently have the following statement in the shmctl(2) manpage: > > Linux permits a process to attach (shmat(2)) a shared memory segment > that has already been marked for deletion using shmctl(IPC_RMID). > This feature is not available on other UNIX implementations; > portable applications should avoid relying on it. > >Which seems to be incorrect, or at least confusing/stale. shmat() will >check against previously deleted segments (although the resources are in >fact deleted only when the last process referencing it exits). Therefore >Linux appears to do what all other Unices do. Ok, so perhaps not so stale. Its just that we managed to break userspace again via a399b29dfba (ipc,shm: fix shm_file deletion races), which is something we need to proporly do the the lockless ipc object lookups/security checks. Sure, without that 'if (shp->shm_file == NULL)' check, there is no problem with attaching to a deleted seg. At this point, the manpage should probably be updated to indicate that this behavior is only as of v3.10. > >Specifically, this is in the form of validating against ipc_valid_object(), >which checks against the deleted flag, returning EIDRM when the segment has >already been marked for deletion via shmctl(IPC_RMID). > >Now, previously shmat() used to check against shm_file validity (changed in >0f3d2b0135f4 ipc: introduce ipc_valid_object() helper to sort out IPC_RMID >races), which is basically the same wrt to the text in question. So this >behavior is in fact quite old. Furthermore, in general there seems to be a >lot of ambiguity among IPC_RMID, EIDRM, EINVAL, and now this text. > >Therefore I propose dropping this. Am I missing something? Thoughts? > >Thanks, >Davidlohr > >diff --git a/man2/shmctl.2 b/man2/shmctl.2 >index 21ede49..72a2854 100644 >--- a/man2/shmctl.2 >+++ b/man2/shmctl.2 >@@ -405,14 +405,6 @@ In the future, these may modified or moved to a > .I /proc > filesystem interface. >-Linux permits a process to attach >-.RB ( shmat (2)) >-a shared memory segment that has already been marked for deletion >-using >-.IR shmctl(IPC_RMID) . >-This feature is not available on other UNIX implementations; >-portable applications should avoid relying on it. >- > Various fields in a \fIstruct shmid_ds\fP were typed as > .I short > under Linux 2.2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists