diff options
| author | Thomas Gleixner <tglx@linutronix.de> | 2014-06-03 12:27:06 +0000 |
|---|---|---|
| committer | Utkarsh Gupta <utkarsh.eminem@gmail.com> | 2014-06-16 13:56:31 +0530 |
| commit | 8a5d38ca20b050503938ec60073ecd964ead39b3 (patch) | |
| tree | 1d67798b0dcf3c55127cd057cf43c12134554582 /usr | |
| parent | 6922ae03f47b1b6be4a33e78fc55adc9257e6bba (diff) | |
| download | kernel_samsung_smdk4412-8a5d38ca20b050503938ec60073ecd964ead39b3.zip kernel_samsung_smdk4412-8a5d38ca20b050503938ec60073ecd964ead39b3.tar.gz kernel_samsung_smdk4412-8a5d38ca20b050503938ec60073ecd964ead39b3.tar.bz2 | |
Fix CVE-2014-3153
futex-prevent-requeue-pi-on-same-futex.patch futex:
Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing from
a non-pi futex to a pi futex with this call. If we attempt this, then
dangling pointers may be left for rt_waiter resulting in an exploitable
condition.
This change brings futex_requeue() in line with futex_wait_requeue_pi()
which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
uaddr == uaddr2 in futex_wait_requeue_pi()")
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Change-Id: Ibe6195215657c86bf2e39305656fdacf7230389d
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'usr')
0 files changed, 0 insertions, 0 deletions