From: Jesper Nilsson <jesper.nilsson@axis.com>
To: Andrew Morton <akpm@linux-foundation.org>,
Davidlohr Bueso <davidlohr@hp.com>,
Rik van Riel <riel@redhat.com>,
Michel Lespinasse <walken@google.com>,
Al Viro <viro@zeniv.linux.org.uk>,
linux-kernel@vger.kernel.org
Subject: [PATCH] ipc,shm: Correct error return value in shmctl (SHM_UNLOCK)
Date: Wed, 20 Nov 2013 11:44:12 +0100 [thread overview]
Message-ID: <20131120104411.GA15831@axis.com> (raw)
Commit 2caacaa82a51b78fc0c800e206473874094287ed restructured
the ipc shm to shorten critical region, but introduced a path
where the return value could be -EPERM, even if the operation
actually was performed.
Before the commit, the err return value was reset by the return value
from security_shm_shmctl() after the if (!ns_capable(...)) statement.
Now, we still exit the if statement with err set to -EPERM,
and in the case of SHM_UNLOCK, it is not reset at all,
and used as the return value from shmctl.
To fix this, we only set err when errors occur, leaving the
fallthrough case alone.
Signed-off-by: Jesper Nilsson <jesper.nilsson@axis.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Davidlohr Bueso <davidlohr@hp.com>
Cc: Rik van Riel <riel@redhat.com>
Cc: Michel Lespinasse <walken@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: stable@vger.kernel.org
---
ipc/shm.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/ipc/shm.c b/ipc/shm.c
index d697396..4076f9e 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -974,12 +974,15 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, cmd, struct shmid_ds __user *, buf)
ipc_lock_object(&shp->shm_perm);
if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) {
kuid_t euid = current_euid();
- err = -EPERM;
if (!uid_eq(euid, shp->shm_perm.uid) &&
- !uid_eq(euid, shp->shm_perm.cuid))
+ !uid_eq(euid, shp->shm_perm.cuid)) {
+ err = -EPERM;
goto out_unlock0;
- if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK))
+ }
+ if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) {
+ err = -EPERM;
goto out_unlock0;
+ }
}
shm_file = shp->shm_file;
--
1.8.4
/^JN - Jesper Nilsson
--
Jesper Nilsson -- jesper.nilsson@axis.com
next reply other threads:[~2013-11-20 10:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-20 10:44 Jesper Nilsson [this message]
2013-11-24 7:07 ` [PATCH] ipc,shm: Correct error return value in shmctl (SHM_UNLOCK) Mike Galbraith
2013-11-24 8:54 ` Jesper Nilsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20131120104411.GA15831@axis.com \
--to=jesper.nilsson@axis.com \
--cc=akpm@linux-foundation.org \
--cc=davidlohr@hp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=riel@redhat.com \
--cc=viro@zeniv.linux.org.uk \
--cc=walken@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.