| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20180817165334.GA3677@linux-r8p5>
Date: Fri, 17 Aug 2018 09:53:34 -0700
From: Davidlohr Bueso <dave@...olabs.net>
To: Waiman Long <longman@...hat.com>
Cc: "Luis R. Rodriguez" <mcgrof@...nel.org>,
Kees Cook <keescook@...omium.org>,
Andrew Morton <akpm@...ux-foundation.org>,
Jonathan Corbet <corbet@....net>, linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org, linux-doc@...r.kernel.org,
Al Viro <viro@...iv.linux.org.uk>,
Matthew Wilcox <willy@...radead.org>,
"Eric W. Biederman" <ebiederm@...ssion.com>,
Takashi Iwai <tiwai@...e.de>, Davidlohr Bueso <dbueso@...e.de>,
manfred@...orfullife.com
Subject: Re: [PATCH v8 2/5] ipc: IPCMNI limit check for semmni
On Mon, 18 Jun 2018, Waiman Long wrote:
>For SysV semaphores, the semmni value is the last part of the 4-element
>sem number array. To make semmni behave in a similar way to msgmni and
>shmmni, we can't directly use the _minmax handler. Instead, a special
>sem specific handler is added to check the last argument to make sure
>that it is limited to the [0, IPCMNI] range. An error will be returned
>if this is not the case.
>
>Signed-off-by: Waiman Long <longman@...hat.com>
Reviewed-by: Davidlohr Bueso <dave@...olabs.net>
>---
> ipc/ipc_sysctl.c | 23 ++++++++++++++++++++++-
> ipc/util.h | 9 +++++++++
> 2 files changed, 31 insertions(+), 1 deletion(-)
>
>diff --git a/ipc/ipc_sysctl.c b/ipc/ipc_sysctl.c
>index f87cb29..49f9bf4 100644
>--- a/ipc/ipc_sysctl.c
>+++ b/ipc/ipc_sysctl.c
>@@ -88,12 +88,33 @@ static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
> return proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos);
> }
>
>+static int proc_ipc_sem_dointvec(struct ctl_table *table, int write,
>+ void __user *buffer, size_t *lenp, loff_t *ppos)
>+{
>+ int ret, semmni;
>+ struct ipc_namespace *ns = current->nsproxy->ipc_ns;
>+
>+ semmni = ns->sem_ctls[3];
>+ ret = proc_ipc_dointvec(table, write, buffer, lenp, ppos);
>+
>+ if (!ret)
>+ ret = sem_check_semmni(current->nsproxy->ipc_ns);
>+
>+ /*
>+ * Reset the semmni value if an error happens.
>+ */
>+ if (ret)
>+ ns->sem_ctls[3] = semmni;
>+ return ret;
>+}
>+
> #else
> #define proc_ipc_doulongvec_minmax NULL
> #define proc_ipc_dointvec NULL
> #define proc_ipc_dointvec_minmax NULL
> #define proc_ipc_dointvec_minmax_orphans NULL
> #define proc_ipc_auto_msgmni NULL
>+#define proc_ipc_sem_dointvec NULL
> #endif
>
> static int zero;
>@@ -175,7 +196,7 @@ static int proc_ipc_auto_msgmni(struct ctl_table *table, int write,
> .data = &init_ipc_ns.sem_ctls,
> .maxlen = 4*sizeof(int),
> .mode = 0644,
>- .proc_handler = proc_ipc_dointvec,
>+ .proc_handler = proc_ipc_sem_dointvec,
> },
> #ifdef CONFIG_CHECKPOINT_RESTORE
> {
>diff --git a/ipc/util.h b/ipc/util.h
>index 0aba323..8e9c52c 100644
>--- a/ipc/util.h
>+++ b/ipc/util.h
>@@ -218,6 +218,15 @@ int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids,
> void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids,
> void (*free)(struct ipc_namespace *, struct kern_ipc_perm *));
>
>+static inline int sem_check_semmni(struct ipc_namespace *ns) {
>+ /*
>+ * Check semmni range [0, IPCMNI]
>+ * semmni is the last element of sem_ctls[4] array
>+ */
>+ return ((ns->sem_ctls[3] < 0) || (ns->sem_ctls[3] > IPCMNI))
>+ ? -ERANGE : 0;
>+}
>+
> #ifdef CONFIG_COMPAT
> #include <linux/compat.h>
> struct compat_ipc_perm {
>--
>1.8.3.1
>
Powered by blists - more mailing lists