From: Kees Cook <keescook@chromium.org>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Manfred Spraul <manfred@colorfullife.com>,
Davidlohr Bueso <dave@stgolabs.net>,
Miklos Szeredi <mszeredi@redhat.com>,
Shailesh Pandey <p.shailesh@samsung.com>,
Mike Rapoport <rppt@linux.vnet.ibm.com>,
Dominik Brodowski <linux@dominikbrodowski.net>,
LKML <linux-kernel@vger.kernel.org>
Subject: [PATCH] ipc/shm: Add missing container_of() for randstruct
Date: Sun, 30 Jul 2017 13:35:28 -0700 [thread overview]
Message-ID: <20170730203528.GA54908@beast> (raw)
When building with the randstruct gcc plugin, the layout of the shm struct
will be randomized, which requires any sub-structure accesses to use
container_of(). One was still missing in the proc display handler, which
would lead to crashes when running the "lsipc" program after the system
had shm registers (e.g. after starting up Gnome):
[ 183.018415] general protection fault: 0000 [#1] PREEMPT SMP
...
[ 183.018692] RIP: 0010:shm_add_rss_swap.isra.1+0x13/0xa0
...
[ 183.019265] Call Trace:
[ 183.019294] sysvipc_shm_proc_show+0x5e/0x150
[ 183.019338] ? _raw_spin_lock+0x17/0x40
[ 183.019376] ? sysvipc_find_ipc+0xbc/0xf0
[ 183.019416] sysvipc_proc_show+0x1a/0x30
[ 183.019456] seq_read+0x2e9/0x3f0
...
Reported-by: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Fixes: 3859a271a003 ("randstruct: Mark various structs for randomization")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Hi Andrew, please take this as a fix for v4.13.
---
ipc/shm.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ipc/shm.c b/ipc/shm.c
index 28a444861a8f..8828b4c3a190 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1380,9 +1380,11 @@ SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
{
struct user_namespace *user_ns = seq_user_ns(s);
- struct shmid_kernel *shp = it;
+ struct kern_ipc_perm *ipcp = it;
+ struct shmid_kernel *shp;
unsigned long rss = 0, swp = 0;
+ shp = container_of(ipcp, struct shmid_kernel, shm_perm);
shm_add_rss_swap(shp, &rss, &swp);
#if BITS_PER_LONG <= 32
--
2.7.4
--
Kees Cook
Pixel Security
reply other threads:[~2017-07-30 20:35 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170730203528.GA54908@beast \
--to=keescook@chromium.org \
--cc=akpm@linux-foundation.org \
--cc=dave@stgolabs.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@dominikbrodowski.net \
--cc=manfred@colorfullife.com \
--cc=mszeredi@redhat.com \
--cc=p.shailesh@samsung.com \
--cc=rppt@linux.vnet.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.