Re: [PATCH] ipc,msg: shorten critical region in msgsnd

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Re: [PATCH] ipc,msg: shorten critical region in msgsnd
@ 2013-09-12 12:20 Manfred Spraul
  2013-09-12 15:10 ` Manfred Spraul
  0 siblings, 1 reply; 2+ messages in thread
From: Manfred Spraul @ 2013-09-12 12:20 UTC (permalink / raw)
  To: davidlohr.bueso
  Cc: Linux Kernel Mailing List, Rik van Riel, Andrew Morton,
	Sedat Dilek

Hi Davidlohr,

I think the patch (3dd1f784ed6603d7ab1043e51e6371235edf2313) is still 
unsafe, i.e. my correction (bebcb928c820d0ee83aca4b192adc195e43e66a2) 
doesn't fix everything:

AFAICS, ipc_obtain_object_check:
- look up the id in the idr tree
- check if it is deleted
- return without taking any locks.

This means that the "is not deleted" information can be stale immediately.

Thus do_msgsnd() in ipc/msg.c contains a memory leak:
>        rcu_read_lock();
>         msq = msq_obtain_object_check(ns, msqid);
>         if (IS_ERR(msq)) {
>                 err = PTR_ERR(msq);
>                 goto out_unlock1;
>         }
<<<< what if the code is preempted here and RMID is processed?
The code below would queue the message into an already removed queue.
The queue is freed by the rcu callback, but the message memory is leaked.

> ipc_lock_object(&msq->q_perm);
>

Is this analysis correct?

And: What about the other users of obtain_object_check?
exit_sem() is also quite long, but I didn't spot any obvious problems.

--
     Manfred

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] ipc,msg: shorten critical region in msgsnd
  2013-09-12 12:20 [PATCH] ipc,msg: shorten critical region in msgsnd Manfred Spraul
@ 2013-09-12 15:10 ` Manfred Spraul
  0 siblings, 0 replies; 2+ messages in thread
From: Manfred Spraul @ 2013-09-12 15:10 UTC (permalink / raw)
  To: davidlohr.bueso
  Cc: Linux Kernel Mailing List, Rik van Riel, Andrew Morton,
	Sedat Dilek

Hi all,

On 09/12/2013 02:20 PM, Manfred Spraul wrote:
>
> And: What about the other users of obtain_object_check?
> exit_sem() is also quite long, but I didn't spot any obvious problems.
>
a) I think semtimed(), msgsnd() and msgrcv() must be fixed:
They either leak memory or tasks can sleep forever.
I haven't checked the shm code, I would expect that there are similar 
problems.

b) There are additional races at least with selinux:
security/selinux/hooks.c
- selinux_sem_semop() accesses sma->sem_perm.security->sid.
- selinux_sem_free_security() does kfree() q_perm.security.

Right now, both operations can happen in parallel -> use after free.

I think the security_xx_yy() calls within ipc/*.c must only be called:
     - after checking _perm.deleted
     - with ipc_perm.lock acquired (to prevent parallel RMID calls).

Davidlohr:
What would be your proposal?

--
     Manfred

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-09-12 15:10 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-09-12 12:20 [PATCH] ipc,msg: shorten critical region in msgsnd Manfred Spraul
2013-09-12 15:10 ` Manfred Spraul

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox