• Pavel Emelianov's avatar
    Fix user struct leakage with locked IPC shem segment · 7be77e20
    Pavel Emelianov authored
    When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is
    already locked the shmem_lock() function returns 0.  After this the
    subsequent code leaks the existing user struct:
    
    == ipc/shm.c: sys_shmctl() ==
         ...
         err = shmem_lock(shp->shm_file, 1, user);
         if (!err) {
              shp->shm_perm.mode |= SHM_LOCKED;
              shp->mlock_user = user;
         }
         ...
    ==
    
    Other results of this are:
    1. the new shp->mlock_user is not get-ed and will point to freed
       memory when the task dies.
    2. the RLIMIT_MEMLOCK is screwed on both user structs.
    
    The exploit looks like this:
    
    ==
        id = shmget(...);
        setresuid(uid, 0, 0);
        shmctl(id, SHM_LOCK, NULL);
        setresuid(uid + 1, 0, 0);
        shmctl(id, SHM_LOCK, NULL);
    ==
    
    My solution is to return 0 to the userspace and do not change the
    segment's user.
    Signed-off-by: default avatarPavel Emelianov <xemul@openvz.org>
    Cc: <stable@kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7be77e20
Name
Last commit
Last update
..
Makefile Loading commit data...
compat.c Loading commit data...
compat_mq.c Loading commit data...
ipc_sysctl.c Loading commit data...
mqueue.c Loading commit data...
msg.c Loading commit data...
msgutil.c Loading commit data...
sem.c Loading commit data...
shm.c Loading commit data...
util.c Loading commit data...
util.h Loading commit data...