Skip to content

Commit 078dd73

Browse files
Lu Shuaibinggregkh
Lu Shuaibing
authored andcommitted
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331 upstream. A use of uninitialized memory in msgctl_down() because msqid64 in ksys_msgctl hasn't been initialized. The local | msqid64 | is created in ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64 is never initialized before msgctl_down() checks msqid64->msg_qbytes. KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool) reports: ================================================================== BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300 Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022 CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: dump_stack+0x75/0xae __kumsan_report+0x17c/0x3e6 kumsan_report+0xe/0x20 msgctl_down+0x94/0x300 ksys_msgctl.constprop.14+0xef/0x260 do_syscall_64+0x7e/0x1f0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4400e9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970 R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x100000000000000() raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kumsan: bad access detected ================================================================== Syzkaller reproducer: msgctl$IPC_RMID(0x0, 0x0) C reproducer: // autogenerated by syzkaller (https://github.com/google/syzkaller) int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); syscall(__NR_msgctl, 0, 0, 0); return 0; } [[email protected]: adjust indentation in ksys_msgctl] Link: ClangBuiltLinux/linux#829 Link: http://lkml.kernel.org/r/[email protected] Link: http://lkml.kernel.org/r/[email protected] Signed-off-by: Lu Shuaibing <[email protected]> Signed-off-by: Nathan Chancellor <[email protected]> Suggested-by: Arnd Bergmann <[email protected]> Cc: Davidlohr Bueso <[email protected]> Cc: Manfred Spraul <[email protected]> Cc: NeilBrown <[email protected]> From: Andrew Morton <[email protected]> Subject: ipc/msg.c: consolidate all xxxctl_down() functions Each line here overflows 80 cols by exactly one character. Delete one tab per line to fix. Cc: Shaohua Li <[email protected]> Cc: Jens Axboe <[email protected]> Signed-off-by: Andrew Morton <[email protected]> Signed-off-by: Linus Torvalds <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]>
1 parent f7d8f99 commit 078dd73

File tree

1 file changed

+10
-9
lines changed

1 file changed

+10
-9
lines changed

ipc/msg.c

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -377,7 +377,7 @@ copy_msqid_from_user(struct msqid64_ds *out, void __user *buf, int version)
377377
* NOTE: no locks must be held, the rwsem is taken inside this function.
378378
*/
379379
static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
380-
struct msqid64_ds *msqid64)
380+
struct ipc64_perm *perm, int msg_qbytes)
381381
{
382382
struct kern_ipc_perm *ipcp;
383383
struct msg_queue *msq;
@@ -387,7 +387,7 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
387387
rcu_read_lock();
388388

389389
ipcp = ipcctl_obtain_check(ns, &msg_ids(ns), msqid, cmd,
390-
&msqid64->msg_perm, msqid64->msg_qbytes);
390+
perm, msg_qbytes);
391391
if (IS_ERR(ipcp)) {
392392
err = PTR_ERR(ipcp);
393393
goto out_unlock1;
@@ -409,18 +409,18 @@ static int msgctl_down(struct ipc_namespace *ns, int msqid, int cmd,
409409
{
410410
DEFINE_WAKE_Q(wake_q);
411411

412-
if (msqid64->msg_qbytes > ns->msg_ctlmnb &&
412+
if (msg_qbytes > ns->msg_ctlmnb &&
413413
!capable(CAP_SYS_RESOURCE)) {
414414
err = -EPERM;
415415
goto out_unlock1;
416416
}
417417

418418
ipc_lock_object(&msq->q_perm);
419-
err = ipc_update_perm(&msqid64->msg_perm, ipcp);
419+
err = ipc_update_perm(perm, ipcp);
420420
if (err)
421421
goto out_unlock0;
422422

423-
msq->q_qbytes = msqid64->msg_qbytes;
423+
msq->q_qbytes = msg_qbytes;
424424

425425
msq->q_ctime = ktime_get_real_seconds();
426426
/*
@@ -603,9 +603,10 @@ long ksys_msgctl(int msqid, int cmd, struct msqid_ds __user *buf)
603603
case IPC_SET:
604604
if (copy_msqid_from_user(&msqid64, buf, version))
605605
return -EFAULT;
606-
/* fallthru */
606+
return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm,
607+
msqid64.msg_qbytes);
607608
case IPC_RMID:
608-
return msgctl_down(ns, msqid, cmd, &msqid64);
609+
return msgctl_down(ns, msqid, cmd, NULL, 0);
609610
default:
610611
return -EINVAL;
611612
}
@@ -724,9 +725,9 @@ long compat_ksys_msgctl(int msqid, int cmd, void __user *uptr)
724725
case IPC_SET:
725726
if (copy_compat_msqid_from_user(&msqid64, uptr, version))
726727
return -EFAULT;
727-
/* fallthru */
728+
return msgctl_down(ns, msqid, cmd, &msqid64.msg_perm, msqid64.msg_qbytes);
728729
case IPC_RMID:
729-
return msgctl_down(ns, msqid, cmd, &msqid64);
730+
return msgctl_down(ns, msqid, cmd, NULL, 0);
730731
default:
731732
return -EINVAL;
732733
}

0 commit comments

Comments
 (0)