Module Name: src Committed By: maxv Date: Fri Aug 23 10:22:15 UTC 2019
Modified Files: src/sys/compat/linux/common: linux_ipc.c src/sys/kern: sysv_shm.c src/sys/sys: shm.h Log Message: Fix stupid bugs in linux_sys_shmctl(): the index could be out of bound (page fault) and there was no proper locking. Maybe we should just remove LINUX_SHM_STAT, like compat_linux32. To generate a diff of this commit: cvs rdiff -u -r1.56 -r1.57 src/sys/compat/linux/common/linux_ipc.c cvs rdiff -u -r1.137 -r1.138 src/sys/kern/sysv_shm.c cvs rdiff -u -r1.53 -r1.54 src/sys/sys/shm.h Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/compat/linux/common/linux_ipc.c diff -u src/sys/compat/linux/common/linux_ipc.c:1.56 src/sys/compat/linux/common/linux_ipc.c:1.57 --- src/sys/compat/linux/common/linux_ipc.c:1.56 Thu Feb 21 03:37:18 2019 +++ src/sys/compat/linux/common/linux_ipc.c Fri Aug 23 10:22:15 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: linux_ipc.c,v 1.56 2019/02/21 03:37:18 mrg Exp $ */ +/* $NetBSD: linux_ipc.c,v 1.57 2019/08/23 10:22:15 maxv Exp $ */ /*- * Copyright (c) 1995, 1998 The NetBSD Foundation, Inc. @@ -30,7 +30,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: linux_ipc.c,v 1.56 2019/02/21 03:37:18 mrg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: linux_ipc.c,v 1.57 2019/08/23 10:22:15 maxv Exp $"); #if defined(_KERNEL_OPT) #include "opt_sysv.h" @@ -568,6 +568,7 @@ linux_sys_shmctl(struct lwp *l, const st syscallarg(struct linux_shmid_ds *) buf; } */ struct shmid_ds bs; + struct ipc_perm perm; struct linux_shmid_ds ls; struct linux_shmid64_ds ls64; struct linux_shminfo64 lsi64; @@ -582,7 +583,10 @@ linux_sys_shmctl(struct lwp *l, const st switch (cmd & ~LINUX_IPC_64) { case LINUX_SHM_STAT: - shmid = IXSEQ_TO_IPCID(shmid, shmsegs[shmid].shm_perm); + error = shm_find_segment_perm_by_index(shmid, &perm); + if (error) + return error; + shmid = IXSEQ_TO_IPCID(shmid, perm); retval[0] = shmid; /*FALLTHROUGH*/ Index: src/sys/kern/sysv_shm.c diff -u src/sys/kern/sysv_shm.c:1.137 src/sys/kern/sysv_shm.c:1.138 --- src/sys/kern/sysv_shm.c:1.137 Wed Aug 7 00:38:02 2019 +++ src/sys/kern/sysv_shm.c Fri Aug 23 10:22:14 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: sysv_shm.c,v 1.137 2019/08/07 00:38:02 pgoyette Exp $ */ +/* $NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $ */ /*- * Copyright (c) 1999, 2007 The NetBSD Foundation, Inc. @@ -61,7 +61,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.137 2019/08/07 00:38:02 pgoyette Exp $"); +__KERNEL_RCSID(0, "$NetBSD: sysv_shm.c,v 1.138 2019/08/23 10:22:14 maxv Exp $"); #ifdef _KERNEL_OPT #include "opt_sysv.h" @@ -121,6 +121,26 @@ SYSCTL_SETUP_PROTO(sysctl_ipc_shm_setup) static int shmrealloc(int); /* + * Find the shared memory segment permission by the index. Only used by + * compat_linux to implement SHM_STAT. + */ +int +shm_find_segment_perm_by_index(int index, struct ipc_perm *perm) +{ + struct shmid_ds *shmseg; + + mutex_enter(&shm_lock); + if (index < 0 || index >= shminfo.shmmni) { + mutex_exit(&shm_lock); + return EINVAL; + } + shmseg = &shmsegs[index]; + memcpy(perm, &shmseg->shm_perm, sizeof(*perm)); + mutex_exit(&shm_lock); + return 0; +} + +/* * Find the shared memory segment by the identifier. * => must be called with shm_lock held; */ Index: src/sys/sys/shm.h diff -u src/sys/sys/shm.h:1.53 src/sys/sys/shm.h:1.54 --- src/sys/sys/shm.h:1.53 Wed Aug 7 00:38:02 2019 +++ src/sys/sys/shm.h Fri Aug 23 10:22:14 2019 @@ -1,4 +1,4 @@ -/* $NetBSD: shm.h,v 1.53 2019/08/07 00:38:02 pgoyette Exp $ */ +/* $NetBSD: shm.h,v 1.54 2019/08/23 10:22:14 maxv Exp $ */ /*- * Copyright (c) 1999 The NetBSD Foundation, Inc. @@ -178,6 +178,8 @@ void shmfork(struct vmspace *, struct vm void shmexit(struct vmspace *); int shmctl1(struct lwp *, int, int, struct shmid_ds *); +int shm_find_segment_perm_by_index(int, struct ipc_perm *); + extern void (*uvm_shmexit)(struct vmspace *); extern void (*uvm_shmfork)(struct vmspace *, struct vmspace *);