Re: [PATCH 4/5] ipc/msg: Lockless security checks for msgsnd

[Manfred Spraul]

On 09/22/2016 12:21 AM, Davidlohr Bueso wrote:
> On Sun, 18 Sep 2016, Manfred Spraul wrote:
>
> > > Just as with msgrcv (along with the rest of sysvipc since a few years
> > >    ago), perform the security checks without holding the ipc object 
> > > lock.
> > Thinking about it: isn't this wrong?
> >
> > CPU1:
> > * msgrcv()
> > * ipcperms()
> > <sleep>
> >
> > CPU2:
> > * msgctl(), change permissions
> > ** msgctl() returns, new permissions should now be in effect
> > * msgsnd(), send secret message
> > ** msgsnd() returns, new message stored.
> >
> > CPU1: resumes, receives secret message
>
> Hmm, would this not apply to everything IPC_SET, we do lockless 
> ipcperms()
> all over the place.
>
> > Obviously, we could argue that the msgrcv() was already ongoing and 
> > therefore the old permissions still apply - but then we don't need to 
> > recheck after sleeping at all.
>
> There is that, and furthermore we make no such guarantees under 
> concurrency.
> Another way of looking at it could perhaps be IPC_SET returning EPERM if
> there's an unserviced msgrcv -- but I'm not suggesting doing this btw ;)
I looked at it by comparing how we handle ipcperms and 
security_msg_queue_xx():
The security_msg_queue_xx are called under the lock, or actually the 
msgrcv even looks at the message that is transferred.

For ipc/sem.c and ipc/shm.c, both operations are called outside the lock.

So, my proposal would be that ipcperms and security_xx should show the 
same behavior regarding concurrent ops.
And this would mean that we should not move ipcperms() in msgrcv outside 
of the lock, i.e. drop the patch.

But if you have a better rational, feel free. But please document it in 
the changelog.

--
    Manfred