[PATCH] ipc/shm: Add missing container_of() for randstruct

[PATCH] ipc/shm: Add missing container_of() for randstruct

[Kees Cook]

When building with the randstruct gcc plugin, the layout of the shm struct
will be randomized, which requires any sub-structure accesses to use
container_of(). One was still missing in the proc display handler, which
would lead to crashes when running the "lsipc" program after the system
had shm registers (e.g. after starting up Gnome):

[  183.018415] general protection fault: 0000 [#1] PREEMPT SMP
...
[  183.018692] RIP: 0010:shm_add_rss_swap.isra.1+0x13/0xa0
...
[  183.019265] Call Trace:
[  183.019294]  sysvipc_shm_proc_show+0x5e/0x150
[  183.019338]  ? _raw_spin_lock+0x17/0x40
[  183.019376]  ? sysvipc_find_ipc+0xbc/0xf0
[  183.019416]  sysvipc_proc_show+0x1a/0x30
[  183.019456]  seq_read+0x2e9/0x3f0
...

Reported-by: Dominik Brodowski <linux@dominikbrodowski.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Fixes: 3859a271a003 ("randstruct: Mark various structs for randomization")
Signed-off-by: Kees Cook <keescook@chromium.org>
---
Hi Andrew, please take this as a fix for v4.13.
---
 ipc/shm.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/ipc/shm.c b/ipc/shm.c
index 28a444861a8f..8828b4c3a190 100644
--- a/ipc/shm.c
+++ b/ipc/shm.c
@@ -1380,9 +1380,11 @@ SYSCALL_DEFINE1(shmdt, char __user *, shmaddr)
 static int sysvipc_shm_proc_show(struct seq_file *s, void *it)
 {
 	struct user_namespace *user_ns = seq_user_ns(s);
-	struct shmid_kernel *shp = it;
+	struct kern_ipc_perm *ipcp = it;
+	struct shmid_kernel *shp;
 	unsigned long rss = 0, swp = 0;
 
+	shp = container_of(ipcp, struct shmid_kernel, shm_perm);
 	shm_add_rss_swap(shp, &rss, &swp);
 
 #if BITS_PER_LONG <= 32
-- 
2.7.4


-- 
Kees Cook
Pixel Security