futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in... (e9c243a5) · Commits · 戴 / test

futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() in line with futex_wait_requeue_pi() which performs the same check as per commit ("futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()") [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by:

Will Drewry <wad@chromium.org> Signed-off-by:

Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by:

Thomas Gleixner <tglx@linutronix.de> Reviewed-by:

Darren Hart <dvhart@linux.intel.com> Signed-off-by:

Linus Torvalds <torvalds@linux-foundation.org>

kernel/futex.c

+25 −0

Original line number	Diff line number	Diff line
		@@ -1441,6 +1441,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
		struct futex_q this, next;

		if (requeue_pi) {
		/*
		* Requeue PI only works on two distinct uaddrs. This
		* check is only valid for private futexes. See below.
		*/
		if (uaddr1 == uaddr2)
		return -EINVAL;

		/*
		* requeue_pi requires a pi_state, try to allocate it now
		* without any locks in case it fails.
		@@ -1479,6 +1486,15 @@ retry:
		if (unlikely(ret != 0))
		goto out_put_key1;

		/*
		* The check above which compares uaddrs is not sufficient for
		* shared futexes. We need to compare the keys:
		*/
		if (requeue_pi && match_futex(&key1, &key2)) {
		ret = -EINVAL;
		goto out_put_keys;
		}

		hb1 = hash_futex(&key1);
		hb2 = hash_futex(&key2);

		@@ -2525,6 +2541,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
		if (ret)
		goto out_key2;

		/*
		* The check above which compares uaddrs is not sufficient for
		* shared futexes. We need to compare the keys:
		*/
		if (match_futex(&q.key, &key2)) {
		ret = -EINVAL;
		goto out_put_keys;
		}

		/* Queue the futex_q, drop the hb lock, wait for wakeup. */
		futex_wait_queue_me(hb, &q, to);

Admin message