If you're running a 64bit kernel with N32 userspace, shmctl will corrupt
memory in userspace. When copy_shmid_to_user() is called, it copies the
entire kernel shmid_ds into userspace. For a 64bit kernel, this is 88
bytes. In N32 userspace it is 76 bytes.
My hack to get around the problem is attached, but I expect someone here
will be able to come up with a better fix. shmid_ds contains a lot of
members that are marked unused. Are these really useless?
Chad
Index: linux/ipc/shm.c
===================================================================
RCS file: /repository/octsw/linux/kernel_2.6/linux/ipc/shm.c,v
retrieving revision 1.1.1.6
retrieving revision 1.2
diff -u -r1.1.1.6 -r1.2
--- linux/ipc/shm.c 7 Jun 2006 19:19:51 -0000 1.1.1.6
+++ linux/ipc/shm.c 22 Jul 2006 02:26:11 -0000 1.2
@@ -321,7 +321,11 @@
out.shm_lpid = in->shm_lpid;
out.shm_nattch = in->shm_nattch;
- return copy_to_user(buf, &out, sizeof(out));
+ /* Use offsetof() instead of sizeof() since N32 userspace has a
+ different size including the unused fields. This just
copies
+ what is used. The old method would corrupt data after the
+ structure */
+ return copy_to_user(buf, &out, offsetof(struct shmid_ds,
shm_unused2));
}
default:
return -EINVAL;
|