Bug 61361

Summary: ipc/msg.c: do_msgsnd vs. IPC_RMID, do_msgrcv vs. IPC_RMID
Product: Other Reporter: Manfred Spraul (manfred)
Component: OtherAssignee: other_other
Status: RESOLVED CODE_FIX    
Severity: normal CC: davidlohr
Priority: P1    
Hardware: All   
OS: Linux   
URL: http://marc.info/?l=linux-kernel&m=137899862114739
Kernel Version: Subsystem:
Regression: Yes Bisected commit-id:
Bug Depends on:    
Bug Blocks: 62061    

Description Manfred Spraul 2013-09-15 11:01:39 UTC 
The synchronization between adding messages and IPC_RMID is incomplete.

This creates a memory leak and use-after-free races

Affected: 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> msq = msq_obtain_object_check(ns, msqid)
in do_msgrcv().
The only lock that is held is rcu_read_lock().

Now the other thread processes IPC_RMID.
When the first task is resumed, then it will happily wait for messages on a deleted queue (including use-after-free memory writes and whatever else).
Comment 1 Davidlohr Bueso 2013-09-27 01:11:00 UTC 
Please refer to https://lkml.org/lkml/2013/9/15/149
Comment 2 Manfred Spraul 2013-10-02 07:20:28 UTC 
Fixed

53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 ipc: fix race with LSMs