From 2e8c11547eeee4a048230747b104ebf584860f40 Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Wed, 9 Sep 2015 13:55:29 +0200 Subject: futex: CVE-2014-3153 Prevent requeue pi on same futex References http://www.openwall.com/lists/oss-security/2014/06/05/22 https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42 Signed-off-by: Sona Sarmadi --- .../linux/files/futex-CVE-2014-3153.patch | 89 ++++++++++++++++++++++ recipes-kernel/linux/linux-qoriq_3.12.bb | 1 + 2 files changed, 90 insertions(+) create mode 100644 recipes-kernel/linux/files/futex-CVE-2014-3153.patch diff --git a/recipes-kernel/linux/files/futex-CVE-2014-3153.patch b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch new file mode 100644 index 0000000..aa37ce2 --- /dev/null +++ b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch @@ -0,0 +1,89 @@ +From b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 3 Jun 2014 12:27:06 +0000 +Subject: [PATCH] futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid + uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) + +commit e9c243a5a6de0be8e584c604d353412584b592f8 upstream. + +If uaddr == uaddr2, then we have broken the rule of only requeueing from +a non-pi futex to a pi futex with this call. If we attempt this, then +dangling pointers may be left for rt_waiter resulting in an exploitable +condition. + +This change brings futex_requeue() in line with futex_wait_requeue_pi() +which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid +uaddr == uaddr2 in futex_wait_requeue_pi()") + +[ tglx: Compare the resulting keys as well, as uaddrs might be + different depending on the mapping ] + +Fixes CVE-2014-3153. + +Upstream-Status: Backport + +Reported-by: Pinkie Pie +Signed-off-by: Will Drewry +Signed-off-by: Kees Cook +Signed-off-by: Thomas Gleixner +Reviewed-by: Darren Hart +Signed-off-by: Linus Torvalds +Signed-off-by: Jiri Slaby +Signed-off-by: Sona Sarmadi +--- + kernel/futex.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/kernel/futex.c b/kernel/futex.c +index 6c7975b..ab207d6 100644 +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, + + if (requeue_pi) { + /* ++ * Requeue PI only works on two distinct uaddrs. This ++ * check is only valid for private futexes. See below. ++ */ ++ if (uaddr1 == uaddr2) ++ return -EINVAL; ++ ++ /* + * requeue_pi requires a pi_state, try to allocate it now + * without any locks in case it fails. + */ +@@ -1332,6 +1339,15 @@ retry: + if (unlikely(ret != 0)) + goto out_put_key1; + ++ /* ++ * The check above which compares uaddrs is not sufficient for ++ * shared futexes. We need to compare the keys: ++ */ ++ if (requeue_pi && match_futex(&key1, &key2)) { ++ ret = -EINVAL; ++ goto out_put_keys; ++ } ++ + hb1 = hash_futex(&key1); + hb2 = hash_futex(&key2); + +@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, + if (ret) + goto out_key2; + ++ /* ++ * The check above which compares uaddrs is not sufficient for ++ * shared futexes. We need to compare the keys: ++ */ ++ if (match_futex(&q.key, &key2)) { ++ ret = -EINVAL; ++ goto out_put_keys; ++ } ++ + /* Queue the futex_q, drop the hb lock, wait for wakeup. */ + futex_wait_queue_me(hb, &q, to); + +-- +1.9.1 + diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb index de11046..d3510ac 100644 --- a/recipes-kernel/linux/linux-qoriq_3.12.bb +++ b/recipes-kernel/linux/linux-qoriq_3.12.bb @@ -29,6 +29,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \ file://sctp-CVE-2014-7841.patch \ file://0001-ALSA-CVE-2014-4656.patch \ file://0002-ALSA-CVE-2014-4656.patch \ + file://futex-CVE-2014-3153.patch \ " SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229" -- cgit v1.2.3-54-g00ecf