diff options
| author | Andreas Wellving <andreas.wellving@enea.com> | 2019-05-21 15:45:56 +0200 |
|---|---|---|
| committer | Adrian Mangeac <Adrian.Mangeac@enea.com> | 2019-05-21 17:24:26 +0200 |
| commit | 6c89eabc04466ab2e6caf65a227f3a91837fcb5e (patch) | |
| tree | d68993a5576520ddd853e6f7f0d72c5d83355b1d /patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch | |
| parent | 6e248f8c7f9ee0c198a3f6024c61eb49a7951613 (diff) | |
| download | enea-kernel-cache-6c89eabc04466ab2e6caf65a227f3a91837fcb5e.tar.gz | |
futex: CVE-2018-6927
futex: Prevent overflow by strengthen input validation
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2018-6927
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61
Change-Id: Iba6e207aec67070f34a7df6dbc95b841b0cf2d55
Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
Diffstat (limited to 'patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch')
| -rw-r--r-- | patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch new file mode 100644 index 0000000..d054de7 --- /dev/null +++ b/patches/cve/CVE-2018-6927-futex-Prevent-overflow-by-strengthen-input-validatio.patch | |||
| @@ -0,0 +1,46 @@ | |||
| 1 | From 17ae6ccfe5dd85605dc44534348b506f95d16a61 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Li Jinyue <lijinyue@huawei.com> | ||
| 3 | Date: Thu, 14 Dec 2017 17:04:54 +0800 | ||
| 4 | Subject: [PATCH] futex: Prevent overflow by strengthen input validation | ||
| 5 | |||
| 6 | commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream. | ||
| 7 | |||
| 8 | UBSAN reports signed integer overflow in kernel/futex.c: | ||
| 9 | |||
| 10 | UBSAN: Undefined behaviour in kernel/futex.c:2041:18 | ||
| 11 | signed integer overflow: | ||
| 12 | 0 - -2147483648 cannot be represented in type 'int' | ||
| 13 | |||
| 14 | Add a sanity check to catch negative values of nr_wake and nr_requeue. | ||
| 15 | |||
| 16 | CVE: CVE-2018-6927 | ||
| 17 | Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=17ae6ccfe5dd85605dc44534348b506f95d16a61] | ||
| 18 | |||
| 19 | Signed-off-by: Li Jinyue <lijinyue@huawei.com> | ||
| 20 | Signed-off-by: Thomas Gleixner <tglx@linutronix.de> | ||
| 21 | Cc: peterz@infradead.org | ||
| 22 | Cc: dvhart@infradead.org | ||
| 23 | Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com | ||
| 24 | Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> | ||
| 25 | Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> | ||
| 26 | --- | ||
| 27 | kernel/futex.c | 3 +++ | ||
| 28 | 1 file changed, 3 insertions(+) | ||
| 29 | |||
| 30 | diff --git a/kernel/futex.c b/kernel/futex.c | ||
| 31 | index 29ac5b64e7c7..52b3f4703158 100644 | ||
| 32 | --- a/kernel/futex.c | ||
| 33 | +++ b/kernel/futex.c | ||
| 34 | @@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, | ||
| 35 | struct futex_q *this, *next; | ||
| 36 | DEFINE_WAKE_Q(wake_q); | ||
| 37 | |||
| 38 | + if (nr_wake < 0 || nr_requeue < 0) | ||
| 39 | + return -EINVAL; | ||
| 40 | + | ||
| 41 | /* | ||
| 42 | * When PI not supported: return -ENOSYS if requeue_pi is true, | ||
| 43 | * consequently the compiler knows requeue_pi is always false past | ||
| 44 | -- | ||
| 45 | 2.20.1 | ||
| 46 | |||