Home Home > GIT Browse
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJiri Kosina <jkosina@suse.cz>2014-06-04 10:59:45 +0200
committerJiri Kosina <jkosina@suse.cz>2014-06-04 10:59:53 +0200
commit87c5279b3db53bb442d4a28b876a0def874cdfa1 (patch)
treeafd75b64fe355629fa805d9c2dfdf7f4557180b0
parented731a40f3338312762aaf039a73ab0852edefd2 (diff)
futex: Validate atomic acquisition in futex_lock_pi_atomic()rpm-3.0.101-0.31
(bnc#880892 CVE-2014-3153).
-rw-r--r--patches.fixes/0002-futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch55
-rw-r--r--series.conf1
2 files changed, 56 insertions, 0 deletions
diff --git a/patches.fixes/0002-futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch b/patches.fixes/0002-futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
new file mode 100644
index 0000000000..39076ee4d8
--- /dev/null
+++ b/patches.fixes/0002-futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
@@ -0,0 +1,55 @@
+From: Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
+References: bnc#880892 CVE-2014-3153
+Patch-mainline: not yet
+
+
+We need to protect the atomic acquisition in the kernel against rogue
+user space which sets the user space futex to 0, so the kernel side
+acquisition succeeds while there is existing state in the kernel
+associated to the real owner.
+
+Verify whether the futex has waiters associated with kernel state. If
+it has, return -EINVAL. The state is corrupted already, so no point in
+cleaning it up. Subsequent calls will fail as well. Not our problem.
+
+[ tglx: Use futex_top_waiter() and explain why we do not need to try
+ restoring the already corrupted user space state. ]
+
+Signed-off-by: Darren Hart <dvhart@linux.intel.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Will Drewry <wad@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+---
+ kernel/futex.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+Index: linux/kernel/futex.c
+===================================================================
+--- linux.orig/kernel/futex.c
++++ linux/kernel/futex.c
+@@ -910,10 +910,18 @@ retry:
+ return -EDEADLK;
+
+ /*
+- * Surprise - we got the lock. Just return to userspace:
++ * Surprise - we got the lock, but we do not trust user space at all.
+ */
+- if (unlikely(!curval))
+- return 1;
++ if (unlikely(!curval)) {
++ /*
++ * We verify whether there is kernel state for this
++ * futex. If not, we can safely assume, that the 0 ->
++ * TID transition is correct. If state exists, we do
++ * not bother to fixup the user space state as it was
++ * corrupted already.
++ */
++ return futex_top_waiter(hb, key) ? -EINVAL : 1;
++ }
+
+ uval = curval;
+
+
diff --git a/series.conf b/series.conf
index 8c6543bbe0..f67f512109 100644
--- a/series.conf
+++ b/series.conf
@@ -405,6 +405,7 @@
patches.fixes/futex-Fix-futex_hashsize-initialization.patch
patches.fixes/0001-futex-Forbid-uaddr-uaddr2-in-requeue.patch
+ patches.fixes/0002-futex-Validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
########################################################
# ia64