• Pavel Emelianov's avatar
    Fix user struct leakage with locked IPC shem segment · 7be77e20
    Pavel Emelianov authored
    When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is
    already locked the shmem_lock() function returns 0.  After this the
    subsequent code leaks the existing user struct:
    
    == ipc/shm.c: sys_shmctl() ==
         ...
         err = shmem_lock(shp->shm_file, 1, user);
         if (!err) {
              shp->shm_perm.mode |= SHM_LOCKED;
              shp->mlock_user = user;
         }
         ...
    ==
    
    Other results of this are:
    1. the new shp->mlock_user is not get-ed and will point to freed
       memory when the task dies.
    2. the RLIMIT_MEMLOCK is screwed on both user structs.
    
    The exploit looks like this:
    
    ==
        id = shmget(...);
        setresuid(uid, 0, 0);
        shmctl(id, SHM_LOCK, NULL);
        setresuid(uid + 1, 0, 0);
        shmctl(id, SHM_LOCK, NULL);
    ==
    
    My solution is to return 0 to the userspace and do not change the
    segment's user.
    Signed-off-by: default avatarPavel Emelianov <xemul@openvz.org>
    Cc: <stable@kernel.org>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    7be77e20
shm.c 25.9 KB