futex: CVE-2018-6927

futex: Prevent overflow by strengthen input validation Reference: https://nvd.nist.gov/vuln/detail/CVE-2018-6927 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61 Change-Id: Iba6e207aec67070f34a7df6dbc95b841b0cf2d55 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-21 15:45:56 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-21 17:24:26 +0200
commit: 6c89eabc04466ab2e6caf65a227f3a91837fcb5e (patch)
tree: d68993a5576520ddd853e6f7f0d72c5d83355b1d
parent: 6e248f8c7f9ee0c198a3f6024c61eb49a7951613 (diff)
download: enea-kernel-cache-6c89eabc04466ab2e6caf65a227f3a91837fcb5e.tar.gz
1 files changed, 46 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch
new file mode 100644
index 0000000..d054de7
--- /dev/null
+++ b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch
@@ -0,0 +1,46 @@
+From 17ae6ccfe5dd85605dc44534348b506f95d16a61 Mon Sep 17 00:00:00 2001
+From: Li Jinyue <lijinyue@huawei.com>
+Date: Thu, 14 Dec 2017 17:04:54 +0800
+Subject: [PATCH] futex: Prevent overflow by strengthen input validation
+commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.
+UBSAN reports signed integer overflow in kernel/futex.c:
+ UBSAN: Undefined behaviour in kernel/futex.c:2041:18
+ signed integer overflow:
+ 0 - -2147483648 cannot be represented in type 'int'
+Add a sanity check to catch negative values of nr_wake and nr_requeue.
+CVE: CVE-2018-6927
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61]
+Signed-off-by: Li Jinyue <lijinyue@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: dvhart@infradead.org
+Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/kernel/futex.c b/kernel/futex.c
+index 29ac5b64e7c7..52b3f4703158 100644
+--- a/kernel/futex.c
+++ b/kernel/futex.c
+@@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
+        struct futex_q *this, *next;
+        DEFINE_WAKE_Q(wake_q);
+ 
+       if (nr_wake < 0 || nr_requeue < 0)
+               return -EINVAL;
+
+        /*
+         * When PI not supported: return -ENOSYS if requeue_pi is true,
+         * consequently the compiler knows requeue_pi is always false past
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-21 15:45:56 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-21 17:24:26 +0200
commit	6c89eabc04466ab2e6caf65a227f3a91837fcb5e (patch)
tree	d68993a5576520ddd853e6f7f0d72c5d83355b1d
parent	6e248f8c7f9ee0c198a3f6024c61eb49a7951613 (diff)
download	enea-kernel-cache-6c89eabc04466ab2e6caf65a227f3a91837fcb5e.tar.gz

diff --git a/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch new file mode 100644 index 0000000..d054de7 --- /dev/null +++ b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch
@@ -0,0 +1,46 @@
	1	From 17ae6ccfe5dd85605dc44534348b506f95d16a61 Mon Sep 17 00:00:00 2001
	2	From: Li Jinyue <lijinyue@huawei.com>
	3	Date: Thu, 14 Dec 2017 17:04:54 +0800
	4	Subject: [PATCH] futex: Prevent overflow by strengthen input validation
	5
	6	commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.
	7
	8	UBSAN reports signed integer overflow in kernel/futex.c:
	9
	10	UBSAN: Undefined behaviour in kernel/futex.c:2041:18
	11	signed integer overflow:
	12	0 - -2147483648 cannot be represented in type 'int'
	13
	14	Add a sanity check to catch negative values of nr_wake and nr_requeue.
	15
	16	CVE: CVE-2018-6927
	17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61]
	18
	19	Signed-off-by: Li Jinyue <lijinyue@huawei.com>
	20	Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
	21	Cc: peterz@infradead.org
	22	Cc: dvhart@infradead.org
	23	Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
	24	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	25	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	26	---
	27	kernel/futex.c \| 3 +++
	28	1 file changed, 3 insertions(+)
	29
	30	diff --git a/kernel/futex.c b/kernel/futex.c
	31	index 29ac5b64e7c7..52b3f4703158 100644
	32	--- a/kernel/futex.c
	33	+++ b/kernel/futex.c
	34	@@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
	35	struct futex_q this, next;
	36	DEFINE_WAKE_Q(wake_q);
	37
	38	+ if (nr_wake < 0 \|\| nr_requeue < 0)
	39	+ return -EINVAL;
	40	+
	41	/*
	42	* When PI not supported: return -ENOSYS if requeue_pi is true,
	43	* consequently the compiler knows requeue_pi is always false past
	44	--
	45	2.20.1
	46