87 lines
3.4 KiB
Diff
87 lines
3.4 KiB
Diff
Return-Path: <tglx@linutronix.de>
|
|
Received: from Galois.linutronix.de (Galois.linutronix.de
|
|
[IPv6:2001:470:1f0b:db:abcd:42:0:1]) by vinyl.outflux.net
|
|
(8.14.4/8.14.4/Debian-4.1ubuntu1) with ESMTP id s53CRBqO010803
|
|
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for
|
|
<kees@outflux.net>; Tue, 3 Jun 2014 05:27:17 -0700
|
|
Received: from localhost ([127.0.0.1] helo=[127.0.1.1]) by
|
|
Galois.linutronix.de with esmtp (Exim 4.80) (envelope-from
|
|
<tglx@linutronix.de>) id 1Wrno3-0002SY-Hl; Tue, 03 Jun 2014 14:27:07 +0200
|
|
Message-Id: <20140603121944.859726103@linutronix.de>
|
|
User-Agent: quilt/0.63-1
|
|
Date: Tue, 03 Jun 2014 12:27:06 -0000
|
|
From: Thomas Gleixner <tglx@linutronix.de>
|
|
To: Linus Torvalds <torvalds@linux-foundation.org>
|
|
Cc: Darren Hart <dvhart@linux.intel.com>, Kees Cook <kees@outflux.net>,
|
|
"security@kernel.org" <security@kernel.org>, linux-distros@vs.openwall.org,
|
|
Sebastian Krahmer <krahmer@suse.de>, Ingo Molnar <mingo@kernel.org>, Kees
|
|
Cook <keescook@chromium.org>, Will Drewry <wad@chromium.org>
|
|
Subject: [patch 2/4] futex: Validate atomic acquisition in
|
|
futex_lock_pi_atomic()
|
|
References: <20140603113303.799564413@linutronix.de>
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=ISO-8859-15
|
|
Content-Disposition: inline; filename=futex-validate-atomic-acquisiton.patch
|
|
X-Linutronix-Spam-Score: -1.0
|
|
X-Linutronix-Spam-Level: -
|
|
X-Linutronix-Spam-Status: No , -1.0 points, 5.0 required,
|
|
ALL_TRUSTED=-1,SHORTCIRCUIT=-0.0001
|
|
Received-SPF: none (linutronix.de: No applicable sender policy available)
|
|
receiver=smtp.outflux.net; identity=mailfrom;
|
|
envelope-from="tglx@linutronix.de"; helo=Galois.linutronix.de;
|
|
client-ip="2001:470:1f0b:db:abcd:42:0:1"
|
|
Envelope-To: kees@outflux.net
|
|
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
|
|
X-HELO: Galois.linutronix.de
|
|
X-Spam-Status: No, hits=-0.651 required=5 tests=RP_MATCHES_RCVD
|
|
X-Spam-Checker-Version: SpamAssassin 3.4.0-outflux_revision__1.66__
|
|
X-Scanned-By: MIMEDefang 2.73
|
|
Content-Length: 1615
|
|
Lines: 47
|
|
|
|
We need to protect the atomic acquisition in the kernel against rogue
|
|
user space which sets the user space futex to 0, so the kernel side
|
|
acquisition succeeds while there is existing state in the kernel
|
|
associated to the real owner.
|
|
|
|
Verify whether the futex has waiters associated with kernel state. If
|
|
it has, return -EINVAL. The state is corrupted already, so no point in
|
|
cleaning it up. Subsequent calls will fail as well. Not our problem.
|
|
|
|
[ tglx: Use futex_top_waiter() and explain why we do not need to try
|
|
restoring the already corrupted user space state. ]
|
|
|
|
Signed-off-by: Darren Hart <dvhart@linux.intel.com>
|
|
Cc: Kees Cook <keescook@chromium.org>
|
|
Cc: Will Drewry <wad@chromium.org>
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
|
|
---
|
|
kernel/futex.c | 14 +++++++++++---
|
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
|
|
|
--- a/kernel/futex.c
|
|
+++ b/kernel/futex.c
|
|
@@ -896,10 +896,18 @@ retry:
|
|
return -EDEADLK;
|
|
|
|
/*
|
|
- * Surprise - we got the lock. Just return to userspace:
|
|
+ * Surprise - we got the lock, but we do not trust user space at all.
|
|
*/
|
|
- if (unlikely(!curval))
|
|
- return 1;
|
|
+ if (unlikely(!curval)) {
|
|
+ /*
|
|
+ * We verify whether there is kernel state for this
|
|
+ * futex. If not, we can safely assume, that the 0 ->
|
|
+ * TID transition is correct. If state exists, we do
|
|
+ * not bother to fixup the user space state as it was
|
|
+ * corrupted already.
|
|
+ */
|
|
+ return futex_top_waiter(hb, key) ? -EINVAL : 1;
|
|
+ }
|
|
|
|
uval = curval;
|
|
|