summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPavel Emelianov <xemul@openvz.org>2007-07-31 11:38:48 +0400
committerGreg Kroah-Hartman <gregkh@suse.de>2007-08-10 01:27:36 +0400
commit68a0460bbcc7571753b57b83f21e8c1c5029a46a (patch)
tree89b04b034309ce8ea3c640466a8cdc1406a226e1
parentdf358e1bad63f47ef3d399f8193bdc5a59d3d747 (diff)
downloadlinux-68a0460bbcc7571753b57b83f21e8c1c5029a46a.tar.xz
Fix user struct leakage with locked IPC shem segment
When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is already locked the shmem_lock() function returns 0. After this the subsequent code leaks the existing user struct: == ipc/shm.c: sys_shmctl() == ... err = shmem_lock(shp->shm_file, 1, user); if (!err) { shp->shm_perm.mode |= SHM_LOCKED; shp->mlock_user = user; } ... == Other results of this are: 1. the new shp->mlock_user is not get-ed and will point to freed memory when the task dies. 2. the RLIMIT_MEMLOCK is screwed on both user structs. The exploit looks like this: == id = shmget(...); setresuid(uid, 0, 0); shmctl(id, SHM_LOCK, NULL); setresuid(uid + 1, 0, 0); shmctl(id, SHM_LOCK, NULL); == My solution is to return 0 to the userspace and do not change the segment's user. Signed-off-by: Pavel Emelianov <xemul@openvz.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--ipc/shm.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/ipc/shm.c b/ipc/shm.c
index 0852f206d895..3bdcb9a19910 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -716,7 +716,7 @@ asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf)
struct user_struct * user = current->user;
if (!is_file_hugepages(shp->shm_file)) {
err = shmem_lock(shp->shm_file, 1, user);
- if (!err) {
+ if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){
shp->shm_perm.mode |= SHM_LOCKED;
shp->mlock_user = user;
}