Commit 02fdb36a authored Apr 29, 2008 by Serge E. Hallyn Committed by Linus Torvalds Apr 29, 2008

ipc: sysvsem: refuse clone(CLONE_SYSVSEM|CLONE_NEWIPC)



CLONE_NEWIPC|CLONE_SYSVSEM interaction isn't handled properly.  This can cause
a kernel memory corruption.  CLONE_NEWIPC must detach from the existing undo
lists.

Fix, part 3: refuse clone(CLONE_SYSVSEM|CLONE_NEWIPC).

With unshare, specifying CLONE_SYSVSEM means unshare the sysvsem.  So it seems
reasonable that CLONE_NEWIPC without CLONE_SYSVSEM would just imply
CLONE_SYSVSEM.

However with clone, specifying CLONE_SYSVSEM means *share* the sysvsem.  So
calling clone(CLONE_SYSVSEM|CLONE_NEWIPC) is explicitly asking for something
we can't allow.  So return -EINVAL in that case.

[akpm@linux-foundation.org: cleanups]
Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Manfred Spraul <manfred@colorfullife.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Pavel Emelyanov <xemul@openvz.org>
Cc: Michael Kerrisk <mtk.manpages@googlemail.com>
Cc: Pierre Peiffer <peifferp@gmail.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent 6013f67f

kernel/nsproxy.c

+12 −0

Original line number	Diff line number	Diff line
		@@ -139,6 +139,18 @@ int copy_namespaces(unsigned long flags, struct task_struct *tsk)
		goto out;
		}

		/*
		* CLONE_NEWIPC must detach from the undolist: after switching
		* to a new ipc namespace, the semaphore arrays from the old
		* namespace are unreachable. In clone parlance, CLONE_SYSVSEM
		* means share undolist with parent, so we must forbid using
		* it along with CLONE_NEWIPC.
		*/
		if ((flags & CLONE_NEWIPC) && (flags & CLONE_SYSVSEM)) {
		err = -EINVAL;
		goto out;
		}

		new_ns = create_new_namespaces(flags, tsk, tsk->fs);
		if (IS_ERR(new_ns)) {
		err = PTR_ERR(new_ns);

Admin message