Commit 7be77e20 authored Jul 31, 2007 by Pavel Emelianov Committed by Linus Torvalds Jul 31, 2007

Fix user struct leakage with locked IPC shem segment



When user locks an ipc shmem segmant with SHM_LOCK ctl and the segment is
already locked the shmem_lock() function returns 0.  After this the
subsequent code leaks the existing user struct:

== ipc/shm.c: sys_shmctl() ==
     ...
     err = shmem_lock(shp->shm_file, 1, user);
     if (!err) {
          shp->shm_perm.mode |= SHM_LOCKED;
          shp->mlock_user = user;
     }
     ...
==

Other results of this are:
1. the new shp->mlock_user is not get-ed and will point to freed
   memory when the task dies.
2. the RLIMIT_MEMLOCK is screwed on both user structs.

The exploit looks like this:

==
    id = shmget(...);
    setresuid(uid, 0, 0);
    shmctl(id, SHM_LOCK, NULL);
    setresuid(uid + 1, 0, 0);
    shmctl(id, SHM_LOCK, NULL);
==

My solution is to return 0 to the userspace and do not change the
segment's user.

Signed-off-by: Pavel Emelianov <xemul@openvz.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

parent ad0b1427

ipc/shm.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -716,7 +716,7 @@ asmlinkage long sys_shmctl (int shmid, int cmd, struct shmid_ds __user *buf)
		struct user_struct * user = current->user;
		if (!is_file_hugepages(shp->shm_file)) {
		err = shmem_lock(shp->shm_file, 1, user);
		if (!err) {
		if (!err && !(shp->shm_perm.mode & SHM_LOCKED)){
		shp->shm_perm.mode \|= SHM_LOCKED;
		shp->mlock_user = user;
		}

Admin message