From 6c89eabc04466ab2e6caf65a227f3a91837fcb5e Mon Sep 17 00:00:00 2001
From: Andreas Wellving <andreas.wellving@enea.com>
Date: Tue, 21 May 2019 15:45:56 +0200
Subject: futex: CVE-2018-6927

futex: Prevent overflow by strengthen input validation

Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-6927
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61

Change-Id: Iba6e207aec67070f34a7df6dbc95b841b0cf2d55
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
---
 ...nt-overflow-by-strengthen-input-validatio.patch | 46 ++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch

diff --git a/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch
new file mode 100644
index 0000000..d054de7
--- /dev/null
+++ b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch
@@ -0,0 +1,46 @@
+From 17ae6ccfe5dd85605dc44534348b506f95d16a61 Mon Sep 17 00:00:00 2001
+From: Li Jinyue <lijinyue@huawei.com>
+Date: Thu, 14 Dec 2017 17:04:54 +0800
+Subject: [PATCH] futex: Prevent overflow by strengthen input validation
+
+commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.
+
+UBSAN reports signed integer overflow in kernel/futex.c:
+
+ UBSAN: Undefined behaviour in kernel/futex.c:2041:18
+ signed integer overflow:
+ 0 - -2147483648 cannot be represented in type 'int'
+
+Add a sanity check to catch negative values of nr_wake and nr_requeue.
+
+CVE: CVE-2018-6927
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61]
+
+Signed-off-by: Li Jinyue <lijinyue@huawei.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: peterz@infradead.org
+Cc: dvhart@infradead.org
+Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/futex.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/kernel/futex.c b/kernel/futex.c
+index 29ac5b64e7c7..52b3f4703158 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
+ 	struct futex_q *this, *next;
+ 	DEFINE_WAKE_Q(wake_q);
+ 
++	if (nr_wake < 0 || nr_requeue < 0)
++		return -EINVAL;
++
+ 	/*
+ 	 * When PI not supported: return -ENOSYS if requeue_pi is true,
+ 	 * consequently the compiler knows requeue_pi is always false past
+-- 
+2.20.1
+
-- 
cgit v1.2.3-54-g00ecf