61371 – ipc/sem.c: semtimedop vs. IPC_RMID

Bug 61371 - ipc/sem.c: semtimedop vs. IPC_RMID

Summary: ipc/sem.c: semtimedop vs. IPC_RMID

Status:	NEW

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Other (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	other_other

URL:	http://marc.info/?l=linux-kernel&m=13...
Keywords:

Depends on:
Blocks:	62061
	Show dependency tree

Reported:	2013-09-15 11:06 UTC by Manfred Spraul
Modified:	2013-09-25 07:23 UTC (History)
CC List:	0 users

See Also:
Kernel Version:
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Manfred Spraul 2013-09-15 11:06:44 UTC

The synchronization between adding messages and IPC_RMID is incomplete.

This creates a memory leak and use-after-free races

Affected: 3.0.10, 3.0.11, current head

Details:
Assume a preemptible kernel that is preempted just after
> sma = sem_obtain_object_check(ns, semid);
in semtimedop().
The only lock that is held is rcu_read_lock().

Now the other thread processes IPC_RMID.
When the first task is resumed, then it will happily wait for messages on a deleted queue (including use-after-free memory writes and whatever else).

Note You need to log in before you can comment on or make changes to this bug.