diff options
| author | Thomas Gleixner <tglx@linutronix.de> | 2014-12-08 04:07:56 -0500 |
|---|---|---|
| committer | Moyster <oysterized@gmail.com> | 2016-09-28 15:16:00 +0200 |
| commit | e9b8002347d23dacee667157d210c98dc6ed71a5 (patch) | |
| tree | 5691129aeeaf5e61fd1cb266b3d5258db7a5d357 /include/linux | |
| parent | ee7803818628514b94725610612d643e3e5b3b91 (diff) | |
futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == u…
…addr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing from
a non-pi futex to a pi futex with this call. If we attempt this, then
dangling pointers may be left for rt_waiter resulting in an exploitable
condition.
This change brings futex_requeue() in line with futex_wait_requeue_pi()
which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
uaddr == uaddr2 in futex_wait_requeue_pi()")
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Change-Id: I3d40911aca262eaefc3852327fa12bec416cd27d
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Darren Hart <dvhart@linux.intel.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: franciscofranco <franciscofranco.1990@gmail.com>
Signed-off-by: engstk <eng.stk@sapo.pt>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions