• Manfred Spraul's avatar
    ipc: reorganize initialization of kern_ipc_perm.seq · e2652ae6
    Manfred Spraul authored
    ipc_addid() initializes kern_ipc_perm.seq after having called idr_alloc()
    (within ipc_idr_alloc()).
    
    Thus a parallel semop() or msgrcv() that uses ipc_obtain_object_check()
    may see an uninitialized value.
    
    The patch moves the initialization of kern_ipc_perm.seq before the calls
    of idr_alloc().
    
    Notes:
    1) This patch has a user space visible side effect:
    If /proc/sys/kernel/*_next_id is used (i.e.: checkpoint/restore) and
    if semget()/msgget()/shmget() fails in the final step of adding the id
    to the rhash tree, then .._next_id is cleared. Before the patch, is
    remained unmodified.
    
    There is no change of the behavior after a successful ..get() call: It
    always clears .._next_id, there is no impact to non checkpoint/restore
    code as that code does not use .._next_id.
    
    2) The patch correctly documents that after a call to ipc_idr_alloc(),
    the full tear-down sequence must be used. The callers of ipc_addid()
    do not fullfill that, i.e. more bugfixes are required.
    
    The patch is a squash of a patch from Dmitry and my own changes.
    
    Link: http://lkml.kernel.org/r/20180712185241.4017-3-manfred@colorfullife.com
    Reported-by: syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com
    Signed-off-by: default avatarManfred Spraul <manfred@colorfullife.com>
    Cc: Dmitry Vyukov <dvyukov@google.com>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Davidlohr Bueso <dave@stgolabs.net>
    Cc: Michael Kerrisk <mtk.manpages@gmail.com>
    Cc: Davidlohr Bueso <dbueso@suse.de>
    Cc: Herbert Xu <herbert@gondor.apana.org.au>
    Cc: Michal Hocko <mhocko@suse.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    e2652ae6
kernel.txt 39 KB