[linux] 01/02: ipc: fully initialize sem_array before making it visible

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Fri Oct 2 14:15:26 UTC 2015 

This is an automated email from the git hooks/post-receive script.

carnil pushed a commit to branch jessie-security
in repository linux.

commit f683840713695c69f5b872f5dd5af94b847a47a6
Author: Salvatore Bonaccorso <carnil at debian.org>
Date:   Fri Oct 2 07:36:11 2015 +0200

    ipc: fully initialize sem_array before making it visible
---
 debian/changelog                                   |  4 ++
 ...ully-initialize-sem_array-before-making-i.patch | 60 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 65 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 83d60e7..b1c36f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,12 @@
 linux (3.16.7-ckt11-1+deb8u5) UNRELEASED; urgency=medium
 
+  [ Ben Hutchings ]
   * USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)
   * sctp: fix race on protocol/netns initialization (CVE-2015-5283)
 
+  [ Salvatore Bonaccorso ]
+  * ipc: fully initialize sem_array before making it visible
+
  -- Ben Hutchings <ben at decadent.org.uk>  Fri, 02 Oct 2015 02:39:36 +0100
 
 linux (3.16.7-ckt11-1+deb8u4) jessie-security; urgency=medium
diff --git a/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch b/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
new file mode 100644
index 0000000..4d10d15
--- /dev/null
+++ b/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
@@ -0,0 +1,60 @@
+From: Manfred Spraul <manfred at colorfullife.com>
+Date: Tue, 2 Dec 2014 15:59:34 -0800
+Subject: ipc/sem.c: fully initialize sem_array before making it visible
+Origin: https://git.kernel.org/linus/e8577d1f0329d4842e8302e289fb2c22156abef4
+
+ipc_addid() makes a new ipc identifier visible to everyone.  New objects
+start as locked, so that the caller can complete the initialization
+after the call.  Within struct sem_array, at least sma->sem_base and
+sma->sem_nsems are accessed without any locks, therefore this approach
+doesn't work.
+
+Thus: Move the ipc_addid() to the end of the initialization.
+
+Signed-off-by: Manfred Spraul <manfred at colorfullife.com>
+Reported-by: Rik van Riel <riel at redhat.com>
+Acked-by: Rik van Riel <riel at redhat.com>
+Acked-by: Davidlohr Bueso <dave at stgolabs.net>
+Acked-by: Rafael Aquini <aquini at redhat.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ ipc/sem.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 454f6c6..53c3310 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -507,13 +507,6 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ 		return retval;
+ 	}
+ 
+-	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
+-	if (id < 0) {
+-		ipc_rcu_putref(sma, sem_rcu_free);
+-		return id;
+-	}
+-	ns->used_sems += nsems;
+-
+ 	sma->sem_base = (struct sem *) &sma[1];
+ 
+ 	for (i = 0; i < nsems; i++) {
+@@ -528,6 +521,14 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ 	INIT_LIST_HEAD(&sma->list_id);
+ 	sma->sem_nsems = nsems;
+ 	sma->sem_ctime = get_seconds();
++
++	id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
++	if (id < 0) {
++		ipc_rcu_putref(sma, sem_rcu_free);
++		return id;
++	}
++	ns->used_sems += nsems;
++
+ 	sem_unlock(sma, -1);
+ 	rcu_read_unlock();
+ 
+-- 
+2.6.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 4201a5e..efc1d6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -650,3 +650,4 @@ bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
 bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
 bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch
 bugfix/all/sctp-fix-race-on-protocol-netns-initialization.patch
+bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list