Re: [PATCH] ipc,shm: Correct error return value in shmctl (SHM_UNLOCK)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Nov 24, 2013 at 08:07:44AM +0100, Mike Galbraith wrote:
> This patch (commit: 3a72660b07) is only slated for stable 3.12, but
> should go to 3.10/11 as well, no?

Yes, you're right, both 3.10 and 3.11 seem to have the restructuring
patch included (3.10.17 and 3.11.6 respectively), and so should have
this patch also.

> On Wed, 2013-11-20 at 11:44 +0100, Jesper Nilsson wrote: 
> > Commit 2caacaa82a51b78fc0c800e206473874094287ed restructured
> > the ipc shm to shorten critical region, but introduced a path
> > where the return value could be -EPERM, even if the operation
> > actually was performed.
> > 
> > Before the commit, the err return value was reset by the return value
> > from security_shm_shmctl() after the if (!ns_capable(...)) statement.
> > 
> > Now, we still exit the if statement with err set to -EPERM,
> > and in the case of SHM_UNLOCK, it is not reset at all,
> > and used as the return value from shmctl.
> > 
> > To fix this, we only set err when errors occur, leaving the
> > fallthrough case alone.
> > 
> > Signed-off-by: Jesper Nilsson <jesper.nilsson@xxxxxxxx>
> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> > Cc: Davidlohr Bueso <davidlohr@xxxxxx>
> > Cc: Rik van Riel <riel@xxxxxxxxxx>
> > Cc: Michel Lespinasse <walken@xxxxxxxxxx>
> > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> > Cc: stable@xxxxxxxxxxxxxxx
> > ---
> >  ipc/shm.c | 9 ++++++---
> >  1 file changed, 6 insertions(+), 3 deletions(-)
> > 
> > diff --git a/ipc/shm.c b/ipc/shm.c
> > index d697396..4076f9e 100644
> > --- a/ipc/shm.c
> > +++ b/ipc/shm.c
> > @@ -974,12 +974,15 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
> >  		ipc_lock_object(&shp->shm_perm);
> >  		if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
> >  			kuid_t euid = current_euid();
> > -			err = -EPERM;
> >  			if (!uid_eq(euid, shp->shm_perm.uid) &&
> > -			    !uid_eq(euid, shp->shm_perm.cuid))
> > +			    !uid_eq(euid, shp->shm_perm.cuid)) {
> > +				err = -EPERM;
> >  				goto out_unlock0;
> > -			if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK))
> > +			}
> > +			if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) {
> > +				err = -EPERM;
> >  				goto out_unlock0;
> > +			}
> >  		}
> >  
> >  		shm_file = shp->shm_file;
> > -- 
> > 1.8.4
> > 
> > 
> > /^JN - Jesper Nilsson
> 
> 

/^JN - Jesper Nilsson
-- 
               Jesper Nilsson -- jesper.nilsson@xxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]