From 8c81ddd2acd2c10979f5a64f6784ce7c6717495e Mon Sep 17 00:00:00 2001 From: Waiman Long Date: Tue, 30 Oct 2018 15:07:24 -0700 Subject: ipc: IPCMNI limit check for semmni For SysV semaphores, the semmni value is the last part of the 4-element sem number array. To make semmni behave in a similar way to msgmni and shmmni, we can't directly use the _minmax handler. Instead, a special sem specific handler is added to check the last argument to make sure that it is limited to the [0, IPCMNI] range. An error will be returned if this is not the case. Link: http://lkml.kernel.org/r/1536352137-12003-3-git-send-email-longman@redhat.com Signed-off-by: Waiman Long Reviewed-by: Davidlohr Bueso Cc: "Eric W. Biederman" Cc: Jonathan Corbet Cc: Kees Cook Cc: Luis R. Rodriguez Cc: Matthew Wilcox Cc: Takashi Iwai Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- ipc/util.h | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'ipc/util.h') diff --git a/ipc/util.h b/ipc/util.h index 1ee81bce25e9..d768fdbed515 100644 --- a/ipc/util.h +++ b/ipc/util.h @@ -217,6 +217,15 @@ int ipcget(struct ipc_namespace *ns, struct ipc_ids *ids, void free_ipcs(struct ipc_namespace *ns, struct ipc_ids *ids, void (*free)(struct ipc_namespace *, struct kern_ipc_perm *)); +static inline int sem_check_semmni(struct ipc_namespace *ns) { + /* + * Check semmni range [0, IPCMNI] + * semmni is the last element of sem_ctls[4] array + */ + return ((ns->sem_ctls[3] < 0) || (ns->sem_ctls[3] > IPCMNI)) + ? -ERANGE : 0; +} + #ifdef CONFIG_COMPAT #include struct compat_ipc_perm { -- cgit v1.2.3-58-ga151