diff options
| author | Sona Sarmadi <sona.sarmadi@enea.com> | 2015-09-09 13:55:29 +0200 |
|---|---|---|
| committer | Sona Sarmadi <sona.sarmadi@enea.com> | 2016-02-09 08:34:01 +0100 |
| commit | 2e8c11547eeee4a048230747b104ebf584860f40 (patch) | |
| tree | e06b11586cd1745da752bba78f7a903400741176 | |
| parent | 5182caec0d69dc1a390c786f52a96a9f79e5ea11 (diff) | |
| download | meta-fsl-ppc-2e8c11547eeee4a048230747b104ebf584860f40.tar.gz | |
futex: CVE-2014-3153
Prevent requeue pi on same futex
References
http://www.openwall.com/lists/oss-security/2014/06/05/22
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
| -rw-r--r-- | recipes-kernel/linux/files/futex-CVE-2014-3153.patch | 89 | ||||
| -rw-r--r-- | recipes-kernel/linux/linux-qoriq_3.12.bb | 1 |
2 files changed, 90 insertions, 0 deletions
diff --git a/recipes-kernel/linux/files/futex-CVE-2014-3153.patch b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch new file mode 100644 index 0000000..aa37ce2 --- /dev/null +++ b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch | |||
| @@ -0,0 +1,89 @@ | |||
| 1 | From b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Thomas Gleixner <tglx@linutronix.de> | ||
| 3 | Date: Tue, 3 Jun 2014 12:27:06 +0000 | ||
| 4 | Subject: [PATCH] futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid | ||
| 5 | uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) | ||
| 6 | |||
| 7 | commit e9c243a5a6de0be8e584c604d353412584b592f8 upstream. | ||
| 8 | |||
| 9 | If uaddr == uaddr2, then we have broken the rule of only requeueing from | ||
| 10 | a non-pi futex to a pi futex with this call. If we attempt this, then | ||
| 11 | dangling pointers may be left for rt_waiter resulting in an exploitable | ||
| 12 | condition. | ||
| 13 | |||
| 14 | This change brings futex_requeue() in line with futex_wait_requeue_pi() | ||
| 15 | which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid | ||
| 16 | uaddr == uaddr2 in futex_wait_requeue_pi()") | ||
| 17 | |||
| 18 | [ tglx: Compare the resulting keys as well, as uaddrs might be | ||
| 19 | different depending on the mapping ] | ||
| 20 | |||
| 21 | Fixes CVE-2014-3153. | ||
| 22 | |||
| 23 | Upstream-Status: Backport | ||
| 24 | |||
| 25 | Reported-by: Pinkie Pie | ||
| 26 | Signed-off-by: Will Drewry <wad@chromium.org> | ||
| 27 | Signed-off-by: Kees Cook <keescook@chromium.org> | ||
| 28 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | ||
| 29 | Reviewed-by: Darren Hart <dvhart@linux.intel.com> | ||
| 30 | Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> | ||
| 31 | Signed-off-by: Jiri Slaby <jslaby@suse.cz> | ||
| 32 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
| 33 | --- | ||
| 34 | kernel/futex.c | 25 +++++++++++++++++++++++++ | ||
| 35 | 1 file changed, 25 insertions(+) | ||
| 36 | |||
| 37 | diff --git a/kernel/futex.c b/kernel/futex.c | ||
| 38 | index 6c7975b..ab207d6 100644 | ||
| 39 | --- a/kernel/futex.c | ||
| 40 | +++ b/kernel/futex.c | ||
| 41 | @@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, | ||
| 42 | |||
| 43 | if (requeue_pi) { | ||
| 44 | /* | ||
| 45 | + * Requeue PI only works on two distinct uaddrs. This | ||
| 46 | + * check is only valid for private futexes. See below. | ||
| 47 | + */ | ||
| 48 | + if (uaddr1 == uaddr2) | ||
| 49 | + return -EINVAL; | ||
| 50 | + | ||
| 51 | + /* | ||
| 52 | * requeue_pi requires a pi_state, try to allocate it now | ||
| 53 | * without any locks in case it fails. | ||
| 54 | */ | ||
| 55 | @@ -1332,6 +1339,15 @@ retry: | ||
| 56 | if (unlikely(ret != 0)) | ||
| 57 | goto out_put_key1; | ||
| 58 | |||
| 59 | + /* | ||
| 60 | + * The check above which compares uaddrs is not sufficient for | ||
| 61 | + * shared futexes. We need to compare the keys: | ||
| 62 | + */ | ||
| 63 | + if (requeue_pi && match_futex(&key1, &key2)) { | ||
| 64 | + ret = -EINVAL; | ||
| 65 | + goto out_put_keys; | ||
| 66 | + } | ||
| 67 | + | ||
| 68 | hb1 = hash_futex(&key1); | ||
| 69 | hb2 = hash_futex(&key2); | ||
| 70 | |||
| 71 | @@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, | ||
| 72 | if (ret) | ||
| 73 | goto out_key2; | ||
| 74 | |||
| 75 | + /* | ||
| 76 | + * The check above which compares uaddrs is not sufficient for | ||
| 77 | + * shared futexes. We need to compare the keys: | ||
| 78 | + */ | ||
| 79 | + if (match_futex(&q.key, &key2)) { | ||
| 80 | + ret = -EINVAL; | ||
| 81 | + goto out_put_keys; | ||
| 82 | + } | ||
| 83 | + | ||
| 84 | /* Queue the futex_q, drop the hb lock, wait for wakeup. */ | ||
| 85 | futex_wait_queue_me(hb, &q, to); | ||
| 86 | |||
| 87 | -- | ||
| 88 | 1.9.1 | ||
| 89 | |||
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index de11046..d3510ac 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb | |||
| @@ -29,6 +29,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ | |||
| 29 | file://sctp-CVE-2014-7841.patch \ | 29 | file://sctp-CVE-2014-7841.patch \ |
| 30 | file://0001-ALSA-CVE-2014-4656.patch \ | 30 | file://0001-ALSA-CVE-2014-4656.patch \ |
| 31 | file://0002-ALSA-CVE-2014-4656.patch \ | 31 | file://0002-ALSA-CVE-2014-4656.patch \ |
| 32 | file://futex-CVE-2014-3153.patch \ | ||
| 32 | " | 33 | " |
| 33 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" | 34 | SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" |
| 34 | 35 | ||