114 lines
4.0 KiB
Diff
114 lines
4.0 KiB
Diff
Return-Path: <tglx@linutronix.de>
|
|
Received: from Galois.linutronix.de (Galois.linutronix.de
|
|
[IPv6:2001:470:1f0b:db:abcd:42:0:1]) by vinyl.outflux.net
|
|
(8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s53CRBLI010804
|
|
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for
|
|
<kees@outflux.net>; Tue, 3 Jun 2014 05:27:17 -0700
|
|
Received: from localhost ([127.0.0.1] helo=[127.0.1.1]) by
|
|
Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from
|
|
<tglx@linutronix.de>) id 1Wrno2-0002SV-Po; Tue, 03 Jun 2014 14:27:06 +0200
|
|
Message-Id: <20140603121944.770732571@linutronix.de>
|
|
User-Agent: quilt/0.63-1
|
|
Date: Tue, 03 Jun 2014 12:27:06 -0000
|
|
From: Thomas Gleixner <tglx@linutronix.de>
|
|
To: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Cc: Darren Hart <dvhart@linux.intel.com>, Kees Cook <kees@outflux.net>,
|
|
"security@kernel.org" <security@kernel.org>, linux-distros@vs.openwall.org,
|
|
Sebastian Krahmer <krahmer@suse.de>, Ingo Molnar <mingo@kernel.org>, Will
|
|
Drewry <wad@chromium.org>, Kees Cook <keescook@chromium.org>
|
|
Subject: [patch 1/4] futex-prevent-requeue-pi-on-same-futex.patch futex:
|
|
Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
|
|
References: <20140603113303.799564413@linutronix.de>
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=ISO-8859-15
|
|
Content-Disposition: inline; filename=futex-prevent-requeue-pi-on-same-futex.patch
|
|
X-Linutronix-Spam-Score: -1.0
|
|
X-Linutronix-Spam-Level: -
|
|
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,
|
|
ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
|
|
Received-SPF: none (linutronix.de: No applicable sender policy available)
|
|
receiver=smtp.outflux.net; identity=mailfrom;
|
|
envelope-from="tglx@linutronix.de"; helo=Galois.linutronix.de;
|
|
client-ip="2001:470:1f0b:db:abcd:42:0:1"
|
|
Envelope-To: kees@outflux.net
|
|
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
|
|
X-HELO: Galois.linutronix.de
|
|
X-Spam-Status: No, hits=-0.651 required=5 tests=RP_MATCHES_RCVD
|
|
X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__
|
|
X-Scanned-By: MIMEDefang 2.73
|
|
Status: RO
|
|
Content-Length: 2114
|
|
Lines: 73
|
|
|
|
If uaddr == uaddr2, then we have broken the rule of only requeueing
|
|
from a non-pi futex to a pi futex with this call. If we attempt this,
|
|
then dangling pointers may be left for rt_waiter resulting in an
|
|
exploitable condition.
|
|
|
|
This change brings futex_requeue() into line with
|
|
futex_wait_requeue_pi() which performs the same check as per commit
|
|
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
|
|
|
|
[ tglx: Compare the resulting keys as well, as uaddrs might be
|
|
different depending on the mapping ]
|
|
|
|
Fixes CVE-2014-3153.
|
|
|
|
Reported-by: Pinkie Pie
|
|
Signed-off-by: Will Drewry <wad@chromium.org>
|
|
Signed-off-by: Kees Cook <keescook@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
---
|
|
kernel/futex.c | 25 +++++++++++++++++++++++++
|
|
1 file changed, 25 insertions(+)
|
|
|
|
--- a/kernel/futex.c
|
|
+++ b/kernel/futex.c
|
|
@@ -1428,6 +1428,13 @@ static int futex_requeue(u32 __user *uad
|
|
|
|
if (requeue_pi) {
|
|
/*
|
|
+ * Requeue PI only works on two distinct uaddrs. This
|
|
+ * check is only valid for private futexes. See below.
|
|
+ */
|
|
+ if (uaddr1 == uaddr2)
|
|
+ return -EINVAL;
|
|
+
|
|
+ /*
|
|
* requeue_pi requires a pi_state, try to allocate it now
|
|
* without any locks in case it fails.
|
|
*/
|
|
@@ -1465,6 +1472,15 @@ retry:
|
|
if (unlikely(ret != 0))
|
|
goto out_put_key1;
|
|
|
|
+ /*
|
|
+ * The check above which compares uaddrs is not sufficient for
|
|
+ * shared futexes. We need to compare the keys:
|
|
+ */
|
|
+ if (requeue_pi && match_futex(&key1, &key2)) {
|
|
+ ret = -EINVAL;
|
|
+ goto out_put_keys;
|
|
+ }
|
|
+
|
|
hb1 = hash_futex(&key1);
|
|
hb2 = hash_futex(&key2);
|
|
|
|
@@ -2511,6 +2527,15 @@ static int futex_wait_requeue_pi(u32 __u
|
|
if (ret)
|
|
goto out_key2;
|
|
|
|
+ /*
|
|
+ * The check above which compares uaddrs is not sufficient for
|
|
+ * shared futexes. We need to compare the keys:
|
|
+ */
|
|
+ if (match_futex(&q.key, &key2)) {
|
|
+ ret = -EINVAL;
|
|
+ goto out_put_keys;
|
|
+ }
|
|
+
|
|
/* Queue the futex_q, drop the hb lock, wait for wakeup. */
|
|
futex_wait_queue_me(hb, &q, to);
|
|
|