The patch titled
Subject: ipc/sem: avoid indexing past end of sem_array
has been added to the -mm tree. Its filename is
ipc-sem-avoid-indexing-past-end-of-sem_array.patch
This patch should soon appear at
http://ozlabs.org/~akpm/mmots/broken-out/ipc-sem-avoid-indexing-past-end-of-sem_array.patch
and later at
http://ozlabs.org/~akpm/mmotm/broken-out/ipc-sem-avoid-indexing-past-end-of-sem_array.patch
Before you just go and hit "reply", please:
a) Consider who else should be cc'ed
b) Prefer to cc a suitable mailing list as well
c) Ideally: find the original patch on the mailing list and do a
reply-to-all to that, adding suitable additional cc's
*** Remember to use Documentation/SubmitChecklist when testing your code ***
The -mm tree is included into linux-next and is updated
there every 3-4 working days
------------------------------------------------------
From: Kees Cook <keescook@xxxxxxxxxxxx>
Subject: ipc/sem: avoid indexing past end of sem_array
This changes the struct + trailing data pattern to using a void * so that
the end of sem_array is found without possibly indexing past the end which
can upset some static analyzers. Mostly, this ends up avoiding a cast
between different non-void types, which the future randstruct GCC plugin
was warning about.
Link: http://lkml.kernel.org/r/20170508222345.GA52073@beast
Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Cc: Davidlohr Bueso <dave@xxxxxxxxxxxx>
Cc: Manfred Spraul <manfred@xxxxxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
ipc/sem.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff -puN ipc/sem.c~ipc-sem-avoid-indexing-past-end-of-sem_array ipc/sem.c
--- a/ipc/sem.c~ipc-sem-avoid-indexing-past-end-of-sem_array
+++ a/ipc/sem.c
@@ -475,6 +475,7 @@ static int newary(struct ipc_namespace *
{
int id;
int retval;
+ void *sem_alloc;
struct sem_array *sma;
int size;
key_t key = params->key;
@@ -488,11 +489,14 @@ static int newary(struct ipc_namespace *
return -ENOSPC;
size = sizeof(*sma) + nsems * sizeof(struct sem);
- sma = ipc_rcu_alloc(size);
- if (!sma)
+ sem_alloc = ipc_rcu_alloc(size);
+ if (!sem_alloc)
return -ENOMEM;
- memset(sma, 0, size);
+ memset(sem_alloc, 0, size);
+
+ sma = sem_alloc;
+ sma->sem_base = sem_alloc + sizeof(*sma);
sma->sem_perm.mode = (semflg & S_IRWXUGO);
sma->sem_perm.key = key;
@@ -504,8 +508,6 @@ static int newary(struct ipc_namespace *
return retval;
}
- sma->sem_base = (struct sem *) &sma[1];
-
for (i = 0; i < nsems; i++) {
INIT_LIST_HEAD(&sma->sem_base[i].pending_alter);
INIT_LIST_HEAD(&sma->sem_base[i].pending_const);
_
Patches currently in -mm which might be from keescook@xxxxxxxxxxxx are
ipc-sem-avoid-indexing-past-end-of-sem_array.patch
--
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
