lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20170525185107.12869-10-manfred@colorfullife.com>
Date:   Thu, 25 May 2017 20:50:56 +0200
From:   Manfred Spraul <manfred@...orfullife.com>
To:     mtk.manpages@...il.com, Andrew Morton <akpm@...ux-foundation.org>,
        Kees Cook <keescook@...omium.org>
Cc:     LKML <linux-kernel@...r.kernel.org>, 1vier1@....de,
        Davidlohr Bueso <dave@...olabs.net>, mingo@...nel.org,
        peterz@...radead.org, fabf@...net.be,
        Manfred Spraul <manfred@...orfullife.com>
Subject: [PATCH 09/20] ipc/sem: Avoid ipc_rcu_alloc()

From: Kees Cook <keescook@...omium.org>

Instead of using ipc_rcu_alloc() which only performs the refcount
bump, open code it to perform better sem-specific checks. This
also allows for sem_array structure layout to be randomized in the
future.

Signed-off-by: Kees Cook <keescook@...omium.org>

[manfred@...orfullife.com: Rediff, because the memset was
temporarily inside ipc_rcu_alloc()]

Signed-off-by: Manfred Spraul <manfred@...orfullife.com>
---
 ipc/sem.c | 25 ++++++++++++++++++++-----
 1 file changed, 20 insertions(+), 5 deletions(-)

diff --git a/ipc/sem.c b/ipc/sem.c
index a04c4d6..445a5b5 100644
--- a/ipc/sem.c
+++ b/ipc/sem.c
@@ -451,6 +451,25 @@ static inline void sem_rmid(struct ipc_namespace *ns, struct sem_array *s)
 	ipc_rmid(&sem_ids(ns), &s->sem_perm);
 }
 
+static struct sem_array *sem_alloc(size_t nsems)
+{
+	struct sem_array *sma;
+	size_t size;
+
+	if (nsems > (INT_MAX - sizeof(*sma)) / sizeof(sma->sems[0]))
+		return NULL;
+
+	size = sizeof(*sma) + nsems * sizeof(sma->sems[0]);
+	sma = kvmalloc(size, GFP_KERNEL);
+	if (unlikely(!sma))
+		return NULL;
+
+	memset(sma, 0, size);
+	atomic_set(&sma->sem_perm.refcount, 1);
+
+	return sma;
+}
+
 /**
  * newary - Create a new semaphore set
  * @ns: namespace
@@ -463,7 +482,6 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 	int id;
 	int retval;
 	struct sem_array *sma;
-	int size;
 	key_t key = params->key;
 	int nsems = params->u.nsems;
 	int semflg = params->flg;
@@ -474,10 +492,7 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
 	if (ns->used_sems + nsems > ns->sc_semmns)
 		return -ENOSPC;
 
-	BUILD_BUG_ON(offsetof(struct sem_array, sem_perm) != 0);
-
-	size = sizeof(*sma) + nsems * sizeof(sma->sems[0]);
-	sma = container_of(ipc_rcu_alloc(size), struct sem_array, sem_perm);
+	sma = sem_alloc(nsems);
 	if (!sma)
 		return -ENOMEM;
 
-- 
2.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ