Bug 61371
| Summary: | ipc/sem.c: semtimedop vs. IPC_RMID | ||
|---|---|---|---|
| Product: | Other | Reporter: | Manfred Spraul (manfred) |
| Component: | Other | Assignee: | other_other |
| Status: | NEW --- | ||
| Severity: | normal | ||
| Priority: | P1 | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://marc.info/?l=linux-kernel&m=137898843310644 | ||
| Kernel Version: | Subsystem: | ||
| Regression: | Yes | Bisected commit-id: | |
| Bug Depends on: | |||
| Bug Blocks: | 62061 | ||
The synchronization between adding messages and IPC_RMID is incomplete. This creates a memory leak and use-after-free races Affected: 3.0.10, 3.0.11, current head Details: Assume a preemptible kernel that is preempted just after > sma = sem_obtain_object_check(ns, semid); in semtimedop(). The only lock that is held is rcu_read_lock(). Now the other thread processes IPC_RMID. When the first task is resumed, then it will happily wait for messages on a deleted queue (including use-after-free memory writes and whatever else).