linux-mips
[Top] [All Lists]

64bit kernel/N32 userspace - shmctl corrupts userspace memory

To: linux-mips@linux-mips.org
Subject: 64bit kernel/N32 userspace - shmctl corrupts userspace memory
From: Chad Reese <creese@caviumnetworks.com>
Date: Tue, 25 Jul 2006 17:32:41 -0700
Original-recipient: rfc822;linux-mips@linux-mips.org
Sender: linux-mips-bounce@linux-mips.org
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.7.8) Gecko/20060629 Debian/1.7.8-1sarge7.1
If you're running a 64bit kernel with N32 userspace, shmctl will corrupt
memory in userspace. When copy_shmid_to_user() is called, it copies the
entire kernel shmid_ds into userspace. For a 64bit kernel, this is 88
bytes. In N32 userspace it is 76 bytes.

My hack to get around the problem is attached, but I expect someone here
will be able to come up with a better fix. shmid_ds contains a lot of
members that are marked unused. Are these really useless?

Chad

Index: linux/ipc/shm.c
===================================================================
RCS file: /repository/octsw/linux/kernel_2.6/linux/ipc/shm.c,v
retrieving revision 1.1.1.6
retrieving revision 1.2
diff -u -r1.1.1.6 -r1.2
--- linux/ipc/shm.c     7 Jun 2006 19:19:51 -0000       1.1.1.6
+++ linux/ipc/shm.c     22 Jul 2006 02:26:11 -0000      1.2
@@ -321,7 +321,11 @@
                out.shm_lpid    = in->shm_lpid;
                out.shm_nattch  = in->shm_nattch;
 
-               return copy_to_user(buf, &out, sizeof(out));
+               /* Use offsetof() instead of sizeof() since N32 userspace has a 
+                   different size including the unused fields. This just 
copies 
+                   what is used. The old method would corrupt data after the 
+                   structure */
+               return copy_to_user(buf, &out, offsetof(struct shmid_ds, 
shm_unused2));
            }
        default:
                return -EINVAL;
<Prev in Thread] Current Thread [Next in Thread>