Module Name: src
Committed By: maxv
Date: Fri Aug 23 10:22:15 UTC 2019
Modified Files:
src/sys/compat/linux/common: linux_ipc.c
src/sys/kern: sysv_shm.c
src/sys/sys: shm.h
Log Message:
Fix stupid bugs in linux_sys_shmctl(): the index could be out of bound
(page fault) and there was no proper locking.
Maybe we should just remove LINUX_SHM_STAT, like compat_linux32.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/sys/compat/linux/common/linux_ipc.c
cvs rdiff -u -r1.137 -r1.138 src/sys/kern/sysv_shm.c
cvs rdiff -u -r1.53 -r1.54 src/sys/sys/shm.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/compat/linux/common/linux_ipc.c
diff -u src/sys/compat/linux/common/linux_ipc.c:1.56 src/sys/compat/linux/common/linux_ipc.c:1.57
--- src/sys/compat/linux/common/linux_ipc.c:1.56 Thu Feb 21 03:37:18 2019
+++ src/sys/compat/linux/common/linux_ipc.c Fri Aug 23 10:22:15 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: linux_ipc.c,v 1.56 2019/02/21 03:37:18 mrg Exp $ */
+/* $NetBSD: linux_ipc.c,v 1.57 2019/08/23 10:22:15 maxv Exp $ */
/*-
* Copyright (c) 1995, 1998 The NetBSD Foundation, Inc.
@@ -30,7 +30,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: linux_ipc.c,v 1.56 2019/02/21 03:37:18 mrg Exp $");
+__KERNEL_RCSID(0, "$NetBSD: linux_ipc.c,v 1.57 2019/08/23 10:22:15 maxv Exp $");
#if defined(_KERNEL_OPT)
#include "opt_sysv.h"
@@ -568,6 +568,7 @@ linux_sys_shmctl(struct lwp *l, const st
syscallarg(struct linux_shmid_ds *) buf;
} */
struct shmid_ds bs;
+ struct ipc_perm perm;
struct linux_shmid_ds ls;
struct linux_shmid64_ds ls64;
struct linux_shminfo64 lsi64;
@@ -582,7 +583,10 @@ linux_sys_shmctl(struct lwp *l, const st
switch (cmd & ~LINUX_IPC_64) {
case LINUX_SHM_STAT:
- shmid = IXSEQ_TO_IPCID(shmid, shmsegs[shmid].shm_perm);
+ error = shm_find_segment_perm_by_index(shmid, &perm);
+ if (error)
+ return error;
+ shmid = IXSEQ_TO_IPCID(shmid, perm);
retval[0] = shmid;
/*FALLTHROUGH*/
Index: src/sys/kern/sysv_shm.c
diff -u src/sys/kern/sysv_shm.c:1.137 src/sys/kern/sysv_shm.c:1.138
--- src/sys/kern/sysv_shm.c:1.137 Wed Aug 7 00:38:02 2019
+++ src/sys/kern/sysv_shm.c Fri Aug 23 10:22:14 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: sysv_shm.c,v 1.137 2019/08/07 00:38:02 pgoyette Exp $ */
+/* $NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $ */
/*-
* Copyright (c) 1999, 2007 The NetBSD Foundation, Inc.
@@ -61,7 +61,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.137 2019/08/07 00:38:02 pgoyette Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $");
#ifdef _KERNEL_OPT
#include "opt_sysv.h"
@@ -121,6 +121,26 @@ SYSCTL_SETUP_PROTO(sysctl_ipc_shm_setup)
static int shmrealloc(int);
/*
+ * Find the shared memory segment permission by the index. Only used by
+ * compat_linux to implement SHM_STAT.
+ */
+int
+shm_find_segment_perm_by_index(int index, struct ipc_perm *perm)
+{
+ struct shmid_ds *shmseg;
+
+ mutex_enter(&shm_lock);
+ if (index < 0 || index >= shminfo.shmmni) {
+ mutex_exit(&shm_lock);
+ return EINVAL;
+ }
+ shmseg = &shmsegs[index];
+ memcpy(perm, &shmseg->shm_perm, sizeof(*perm));
+ mutex_exit(&shm_lock);
+ return 0;
+}
+
+/*
* Find the shared memory segment by the identifier.
* => must be called with shm_lock held;
*/
Index: src/sys/sys/shm.h
diff -u src/sys/sys/shm.h:1.53 src/sys/sys/shm.h:1.54
--- src/sys/sys/shm.h:1.53 Wed Aug 7 00:38:02 2019
+++ src/sys/sys/shm.h Fri Aug 23 10:22:14 2019
@@ -1,4 +1,4 @@
-/* $NetBSD: shm.h,v 1.53 2019/08/07 00:38:02 pgoyette Exp $ */
+/* $NetBSD: shm.h,v 1.54 2019/08/23 10:22:14 maxv Exp $ */
/*-
* Copyright (c) 1999 The NetBSD Foundation, Inc.
@@ -178,6 +178,8 @@ void shmfork(struct vmspace *, struct vm
void shmexit(struct vmspace *);
int shmctl1(struct lwp *, int, int, struct shmid_ds *);
+int shm_find_segment_perm_by_index(int, struct ipc_perm *);
+
extern void (*uvm_shmexit)(struct vmspace *);
extern void (*uvm_shmfork)(struct vmspace *, struct vmspace *);
