[linux] 01/02: ipc: fully initialize sem_array before making it visible
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Fri Oct 2 14:15:26 UTC 2015
This is an automated email from the git hooks/post-receive script.
carnil pushed a commit to branch jessie-security
in repository linux.
commit f683840713695c69f5b872f5dd5af94b847a47a6
Author: Salvatore Bonaccorso <carnil at debian.org>
Date: Fri Oct 2 07:36:11 2015 +0200
ipc: fully initialize sem_array before making it visible
---
debian/changelog | 4 ++
...ully-initialize-sem_array-before-making-i.patch | 60 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 65 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 83d60e7..b1c36f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,12 @@
linux (3.16.7-ckt11-1+deb8u5) UNRELEASED; urgency=medium
+ [ Ben Hutchings ]
* USB: whiteheat: fix potential null-deref at probe (CVE-2015-5257)
* sctp: fix race on protocol/netns initialization (CVE-2015-5283)
+ [ Salvatore Bonaccorso ]
+ * ipc: fully initialize sem_array before making it visible
+
-- Ben Hutchings <ben at decadent.org.uk> Fri, 02 Oct 2015 02:39:36 +0100
linux (3.16.7-ckt11-1+deb8u4) jessie-security; urgency=medium
diff --git a/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch b/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
new file mode 100644
index 0000000..4d10d15
--- /dev/null
+++ b/debian/patches/bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
@@ -0,0 +1,60 @@
+From: Manfred Spraul <manfred at colorfullife.com>
+Date: Tue, 2 Dec 2014 15:59:34 -0800
+Subject: ipc/sem.c: fully initialize sem_array before making it visible
+Origin: https://git.kernel.org/linus/e8577d1f0329d4842e8302e289fb2c22156abef4
+
+ipc_addid() makes a new ipc identifier visible to everyone. New objects
+start as locked, so that the caller can complete the initialization
+after the call. Within struct sem_array, at least sma->sem_base and
+sma->sem_nsems are accessed without any locks, therefore this approach
+doesn't work.
+
+Thus: Move the ipc_addid() to the end of the initialization.
+
+Signed-off-by: Manfred Spraul <manfred at colorfullife.com>
+Reported-by: Rik van Riel <riel at redhat.com>
+Acked-by: Rik van Riel <riel at redhat.com>
+Acked-by: Davidlohr Bueso <dave at stgolabs.net>
+Acked-by: Rafael Aquini <aquini at redhat.com>
+Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+---
+ ipc/sem.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/ipc/sem.c b/ipc/sem.c
+index 454f6c6..53c3310 100644
+--- a/ipc/sem.c
++++ b/ipc/sem.c
+@@ -507,13 +507,6 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ return retval;
+ }
+
+- id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
+- if (id < 0) {
+- ipc_rcu_putref(sma, sem_rcu_free);
+- return id;
+- }
+- ns->used_sems += nsems;
+-
+ sma->sem_base = (struct sem *) &sma[1];
+
+ for (i = 0; i < nsems; i++) {
+@@ -528,6 +521,14 @@ static int newary(struct ipc_namespace *ns, struct ipc_params *params)
+ INIT_LIST_HEAD(&sma->list_id);
+ sma->sem_nsems = nsems;
+ sma->sem_ctime = get_seconds();
++
++ id = ipc_addid(&sem_ids(ns), &sma->sem_perm, ns->sc_semmni);
++ if (id < 0) {
++ ipc_rcu_putref(sma, sem_rcu_free);
++ return id;
++ }
++ ns->used_sems += nsems;
++
+ sem_unlock(sma, -1);
+ rcu_read_unlock();
+
+--
+2.6.0
+
diff --git a/debian/patches/series b/debian/patches/series
index 4201a5e..efc1d6c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -650,3 +650,4 @@ bugfix/all/dcache-handle-escaped-paths-in-prepend_path.patch
bugfix/all/vfs-test-for-and-handle-paths-that-are-unreachable-f.patch
bugfix/all/usb-whiteheat-fix-potential-null-deref-at-probe.patch
bugfix/all/sctp-fix-race-on-protocol-netns-initialization.patch
+bugfix/all/ipc-sem.c-fully-initialize-sem_array-before-making-i.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list