futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1) - olio-linux-3.10.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Thomas Gleixner <tglx@linutronix.de>	2014-06-03 12:27:06 +0000
committer	James Wylder <jwylder@motorola.com>	2014-07-15 16:41:07 +0000
commit	b5cb56ef23040ddd5f9725f54bcab9e174a8bb1e (patch)
tree	eac5bdad425cdcccac09375f1f4a51ee2c994db6 /kernel/smp.c
parent	2b764141c7b8194e2be5deeddd86e5fee6d98de4 (diff)
download	olio-linux-3.10-b5cb56ef23040ddd5f9725f54bcab9e174a8bb1e.tar.xz olio-linux-3.10-b5cb56ef23040ddd5f9725f54bcab9e174a8bb1e.zip

futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)

If uaddr == uaddr2, then we have broken the rule of only requeueing from a non-pi futex to a pi futex with this call. If we attempt this, then dangling pointers may be left for rt_waiter resulting in an exploitable condition. This change brings futex_requeue() in line with futex_wait_requeue_pi() which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()") [ tglx: Compare the resulting keys as well, as uaddrs might be different depending on the mapping ] Fixes CVE-2014-3153. Reported-by: Pinkie Pie Signed-off-by: Will Drewry <wad@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Reviewed-by: Darren Hart <dvhart@linux.intel.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'kernel/smp.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: