Bug 61361 - ipc/msg.c: do_msgsnd vs. IPC_RMID, do_msgrcv vs. IPC_RMID
Summary: ipc/msg.c: do_msgsnd vs. IPC_RMID, do_msgrcv vs. IPC_RMID
Status: RESOLVED CODE_FIX
Alias: None
Product: Other
Classification: Unclassified
Component: Other (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: other_other
URL: http://marc.info/?l=linux-kernel&m=13...
Keywords:
Depends on:
Blocks: 62061
  Show dependency tree
 
Reported: 2013-09-15 11:01 UTC by Manfred Spraul
Modified: 2013-10-02 07:20 UTC (History)
1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression: Yes
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Manfred Spraul 2013-09-15 11:01:39 UTC 
The synchronization between adding messages and IPC_RMID is incomplete.

This creates a memory leak and use-after-free races

Affected: 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> msq = msq_obtain_object_check(ns, msqid)
in do_msgrcv().
The only lock that is held is rcu_read_lock().

Now the other thread processes IPC_RMID.
When the first task is resumed, then it will happily wait for messages on a deleted queue (including use-after-free memory writes and whatever else).
Comment 1 Davidlohr Bueso 2013-09-27 01:11:00 UTC 
Please refer to https://lkml.org/lkml/2013/9/15/149
Comment 2 Manfred Spraul 2013-10-02 07:20:28 UTC 
Fixed

53dad6d3a8e5ac1af8bacc6ac2134ae1a8b085f1 ipc: fix race with LSMs
Note You need to log in before you can comment on or make changes to this bug.