Date: Tue, 29 Jun 2021 19:59:20 GMT From: Mark Johnston <markj@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org Subject: git: f80ee27f447a - stable/11 - linux(4): Prevent integer overflow in futex_requeue. Message-ID: <202106291959.15TJxKEl066960@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch stable/11 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=f80ee27f447abc7baeb413cc0a7b7c21f9d32f8b commit f80ee27f447abc7baeb413cc0a7b7c21f9d32f8b Author: Dmitry Chagin <dchagin@FreeBSD.org> AuthorDate: 2021-06-10 11:23:11 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2021-06-29 18:47:53 +0000 linux(4): Prevent integer overflow in futex_requeue. To prevent a signed integer overflow in futex_requeue add a sanity check to catch negative values of nrwake or nrrequeue. (cherry picked from commit 25b09d6f398ea8a260ee8e2e8209fd76c61e13ee) --- sys/compat/linux/linux_futex.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-) diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c index 686d2f7d2ec7..0be0483f4496 100644 --- a/sys/compat/linux/linux_futex.c +++ b/sys/compat/linux/linux_futex.c @@ -596,18 +596,19 @@ futex_wake(struct futex *f, int n, uint32_t bitset) } static int -futex_requeue(struct futex *f, int n, struct futex *f2, int n2) +futex_requeue(struct futex *f, int nrwake, struct futex *f2, + int nrrequeue) { struct waiting_proc *wp, *wpt; int count = 0; - LIN_SDT_PROBE4(futex, futex_requeue, entry, f, n, f2, n2); + LIN_SDT_PROBE4(futex, futex_requeue, entry, f, nrwake, f2, nrrequeue); FUTEX_ASSERT_LOCKED(f); FUTEX_ASSERT_LOCKED(f2); TAILQ_FOREACH_SAFE(wp, &f->f_waiting_proc, wp_list, wpt) { - if (++count <= n) { + if (++count <= nrwake) { LINUX_CTR2(sys_futex, "futex_req_wake uaddr %p wp %p", f->f_uaddr, wp); wp->wp_flags |= FUTEX_WP_REMOVED; @@ -633,7 +634,7 @@ futex_requeue(struct futex *f, int n, struct futex *f2, int n2) FUTEXES_LOCK; ++f2->f_refcount; FUTEXES_UNLOCK; - if (count - n >= n2) + if (count - nrwake >= nrrequeue) break; } } @@ -744,7 +745,7 @@ futex_atomic_op(struct thread *td, int encoded_op, uint32_t *uaddr) int linux_sys_futex(struct thread *td, struct linux_sys_futex_args *args) { - int clockrt, nrwake, op_ret, ret; + int clockrt, nrwake, nrrequeue, op_ret, ret; struct linux_pemuldata *pem; struct waiting_proc *wp; struct futex *f, *f2; @@ -888,6 +889,15 @@ retry0: return (EINVAL); } + nrrequeue = (int)(unsigned long)args->timeout; + nrwake = args->val; + /* + * Sanity check to prevent signed integer overflow, + * see Linux CVE-2018-6927 + */ + if (nrwake < 0 || nrrequeue < 0) + return (EINVAL); + retry1: error = futex_get(args->uaddr, NULL, &f, flags | FUTEX_DONTLOCK); if (error) { @@ -938,8 +948,7 @@ retry1: return (EAGAIN); } - nrwake = (int)(unsigned long)args->timeout; - td->td_retval[0] = futex_requeue(f, args->val, f2, nrwake); + td->td_retval[0] = futex_requeue(f, nrwake, f2, nrrequeue); futex_put(f2, NULL); futex_put(f, NULL); break;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106291959.15TJxKEl066960>