diff options
author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-09-09 13:55:29 +0200 |
---|---|---|
committer | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-02-09 08:34:01 +0100 |
commit | 2e8c11547eeee4a048230747b104ebf584860f40 (patch) | |
tree | e06b11586cd1745da752bba78f7a903400741176 | |
parent | 5182caec0d69dc1a390c786f52a96a9f79e5ea11 (diff) | |
download | meta-fsl-ppc-2e8c11547eeee4a048230747b104ebf584860f40.tar.gz |
futex: CVE-2014-3153
Prevent requeue pi on same futex
References
http://www.openwall.com/lists/oss-security/2014/06/05/22
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r-- | recipes-kernel/linux/files/futex-CVE-2014-3153.patch | 89 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bb | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/futex-CVE-2014-3153.patch b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch new file mode 100644 index 0000000..aa37ce2 --- /dev/null +++ b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch | |||
@@ -0,0 +1,89 @@ | |||
1 | From b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42 Mon Sep 17 00:00:00 2001 | ||
2 | From: Thomas Gleixner <tglx@linutronix.de> | ||
3 | Date: Tue, 3 Jun 2014 12:27:06 +0000 | ||
4 | Subject: [PATCH] futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid | ||
5 | uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) | ||
6 | |||
7 | commit e9c243a5a6de0be8e584c604d353412584b592f8 upstream. | ||
8 | |||
9 | If uaddr == uaddr2, then we have broken the rule of only requeueing from | ||
10 | a non-pi futex to a pi futex with this call. If we attempt this, then | ||
11 | dangling pointers may be left for rt_waiter resulting in an exploitable | ||
12 | condition. | ||
13 | |||
14 | This change brings futex_requeue() in line with futex_wait_requeue_pi() | ||
15 | which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid | ||
16 | uaddr == uaddr2 in futex_wait_requeue_pi()") | ||
17 | |||
18 | [ tglx: Compare the resulting keys as well, as uaddrs might be | ||
19 | different depending on the mapping ] | ||
20 | |||
21 | Fixes CVE-2014-3153. | ||
22 | |||
23 | Upstream-Status: Backport | ||
24 | |||
25 | Reported-by: Pinkie Pie | ||
26 | Signed-off-by: Will Drewry <wad@chromium.org> | ||
27 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
28 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | ||
29 | Reviewed-by: Darren Hart <dvhart@linux.intel.com> | ||
30 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
31 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
32 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
33 | --- | ||
34 | kernel/futex.c | 25 +++++++++++++++++++++++++ | ||
35 | 1 file changed, 25 insertions(+) | ||
36 | |||
37 | diff --git a/kernel/futex.c b/kernel/futex.c | ||
38 | index 6c7975b..ab207d6 100644 | ||
39 | --- a/kernel/futex.c | ||
40 | +++ b/kernel/futex.c | ||
41 | @@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, | ||
42 | |||
43 | if (requeue_pi) { | ||
44 | /* | ||
45 | + * Requeue PI only works on two distinct uaddrs. This | ||
46 | + * check is only valid for private futexes. See below. | ||
47 | + */ | ||
48 | + if (uaddr1 == uaddr2) | ||
49 | + return -EINVAL; | ||
50 | + | ||
51 | + /* | ||
52 | * requeue_pi requires a pi_state, try to allocate it now | ||
53 | * without any locks in case it fails. | ||
54 | */ | ||
55 | @@ -1332,6 +1339,15 @@ retry: | ||
56 | if (unlikely(ret != 0)) | ||
57 | goto out_put_key1; | ||
58 | |||
59 | + /* | ||
60 | + * The check above which compares uaddrs is not sufficient for | ||
61 | + * shared futexes. We need to compare the keys: | ||
62 | + */ | ||
63 | + if (requeue_pi && match_futex(&key1, &key2)) { | ||
64 | + ret = -EINVAL; | ||
65 | + goto out_put_keys; | ||
66 | + } | ||
67 | + | ||
68 | hb1 = hash_futex(&key1); | ||
69 | hb2 = hash_futex(&key2); | ||
70 | |||
71 | @@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, | ||
72 | if (ret) | ||
73 | goto out_key2; | ||
74 | |||
75 | + /* | ||
76 | + * The check above which compares uaddrs is not sufficient for | ||
77 | + * shared futexes. We need to compare the keys: | ||
78 | + */ | ||
79 | + if (match_futex(&q.key, &key2)) { | ||
80 | + ret = -EINVAL; | ||
81 | + goto out_put_keys; | ||
82 | + } | ||
83 | + | ||
84 | /* Queue the futex_q, drop the hb lock, wait for wakeup. */ | ||
85 | futex_wait_queue_me(hb, &q, to); | ||
86 | |||
87 | -- | ||
88 | 1.9.1 | ||
89 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index de11046..d3510ac 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb | |||
@@ -29,6 +29,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
29 | file://sctp-CVE-2014-7841.patch \ | 29 | file://sctp-CVE-2014-7841.patch \ |
30 | file://0001-ALSA-CVE-2014-4656.patch \ | 30 | file://0001-ALSA-CVE-2014-4656.patch \ |
31 | file://0002-ALSA-CVE-2014-4656.patch \ | 31 | file://0002-ALSA-CVE-2014-4656.patch \ |
32 | file://futex-CVE-2014-3153.patch \ | ||
32 | " | 33 | " |
33 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 34 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" |
34 | 35 | ||