rpms/kernel/F-11 futex-handle-user-space-corruption-gracefully.patch, NONE, 1.1 patch-2.6.32.8.bz2.sign, NONE, 1.1 .cvsignore, 1.1069, 1.1070 kernel.spec, 1.1814, 1.1815 sources, 1.1031, 1.1032 upstream, 1.942, 1.943 patch-2.6.32.7.bz2.sign, 1.1, NONE patch-2.6.32.8-rc2.bz2.sign, 1.1, NONE
Kyle McMartin
kyle at fedoraproject.org
Tue Feb 9 13:45:01 UTC 2010
- Previous message: rpms/openoffice.org/devel workspace.x86_64_bridgefix.patch, NONE, 1.1 openoffice.org.spec, 1.2143, 1.2144
- Next message: rpms/kernel/F-12 futex-handle-user-space-corruption-gracefully.patch, NONE, 1.1 patch-2.6.32.8.bz2.sign, NONE, 1.1 .cvsignore, 1.1146, 1.1147 kernel.spec, 1.2008, 1.2009 sources, 1.1104, 1.1105 upstream, 1.1018, 1.1019 patch-2.6.32.7.bz2.sign, 1.1, NONE patch-2.6.32.8-rc2.bz2.sign, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: kyle
Update of /cvs/pkgs/rpms/kernel/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23286
Modified Files:
.cvsignore kernel.spec sources upstream
Added Files:
futex-handle-user-space-corruption-gracefully.patch
patch-2.6.32.8.bz2.sign
Removed Files:
patch-2.6.32.7.bz2.sign patch-2.6.32.8-rc2.bz2.sign
Log Message:
* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.32.8-30
- Linux 2.6.32.8
- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
the PI futex code. (rhbz#563091)
futex-handle-user-space-corruption-gracefully.patch:
futex.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- NEW FILE futex-handle-user-space-corruption-gracefully.patch ---
>From b4e238cbe7f719c10b90e49dffbc0f7f0f6863d5 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx at linutronix.de>
Date: Tue, 2 Feb 2010 11:40:27 +0100
Subject: [PATCH] futex: Handle user space corruption gracefully
If the owner of a PI futex dies we fix up the pi_state and set
pi_state->owner to NULL. When a malicious or just sloppy programmed
user space application sets the futex value to 0 e.g. by calling
pthread_mutex_init(), then the futex can be acquired again. A new
waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.
Prevent this by checking pi_state->owner in the unlock path. If
pi_state->owner is not current we know that user space manipulated the
futex value. Ignore the mess and return -EINVAL.
This catches the above case and also the case where a task hijacks the
futex by setting the tid value and then tries to unlock it.
Reported-by: Jermome Marchand <jmarchan at redhat.com>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Acked-by: Darren Hart <dvhltc at us.ibm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
Cc: <stable at kernel.org>
---
kernel/futex.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index 3b74909..eb84b95 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -758,6 +758,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
if (!pi_state)
return -EINVAL;
+ /*
+ * If current does not own the pi_state then the futex is
+ * inconsistent and user space fiddled with the futex value.
+ */
+ if (pi_state->owner != current)
+ return -EINVAL;
+
spin_lock(&pi_state->pi_mutex.wait_lock);
new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
--
1.6.6
--- NEW FILE patch-2.6.32.8.bz2.sign ---
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: See http://www.kernel.org/signature.html for info
iD8DBQBLcVzcyGugalF9Dw4RAqc5AJ96A+mGH4rmoydybSFueNcHQ9ZtxQCfejoT
sF9U0wwlHn130FMWqISkg0k=
=8gG6
-----END PGP SIGNATURE-----
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/.cvsignore,v
retrieving revision 1.1069
retrieving revision 1.1070
diff -u -p -r1.1069 -r1.1070
--- .cvsignore 5 Feb 2010 18:25:22 -0000 1.1069
+++ .cvsignore 9 Feb 2010 13:45:00 -0000 1.1070
@@ -5,5 +5,4 @@ kernel-2.6.*.config
temp-*
kernel-2.6.32
linux-2.6.32.tar.bz2
-patch-2.6.32.7.bz2
-patch-2.6.32.8-rc2.bz2
+patch-2.6.32.8.bz2
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/kernel.spec,v
retrieving revision 1.1814
retrieving revision 1.1815
diff -u -p -r1.1814 -r1.1815
--- kernel.spec 7 Feb 2010 23:16:33 -0000 1.1814
+++ kernel.spec 9 Feb 2010 13:45:00 -0000 1.1815
@@ -42,7 +42,7 @@ Summary: The Linux kernel
# Do we have a -stable update to apply?
%define stable_update 8
# Is it a -stable RC?
-%define stable_rc 2
+%define stable_rc 0
# Set rpm version accordingly
%if 0%{?stable_update}
%define stablerev .%{stable_update}
@@ -754,6 +754,7 @@ Patch12302: prevent-runtime-conntrack-ch
Patch12310: fix-crash-with-sys_move_pages.patch
Patch12311: fix-ima-null-ptr-deref.patch
+Patch12312: futex-handle-user-space-corruption-gracefully.patch
# backport /dev/mem patches for -stable
Patch20010: devmem-introduce-size_inside_page.patch
@@ -1385,6 +1386,7 @@ ApplyPatch prevent-runtime-conntrack-cha
ApplyPatch fix-crash-with-sys_move_pages.patch
ApplyPatch fix-ima-null-ptr-deref.patch
+ApplyPatch futex-handle-user-space-corruption-gracefully.patch
# backport /dev/mem patches for -stable
ApplyPatch devmem-introduce-size_inside_page.patch
@@ -2045,6 +2047,11 @@ fi
# and build.
%changelog
+* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.32.8-30
+- Linux 2.6.32.8
+- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
+ the PI futex code. (rhbz#563091)
+
* Sun Feb 07 2010 Kyle McMartin <kyle at redhat.com> 2.6.32.8-29.rc2
- Fix i686 builds (we only want PAE & PAEdebug, not i686-debug...)
- Using this kernel is *NOT* recommended yet. Still needs DRM to be
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/sources,v
retrieving revision 1.1031
retrieving revision 1.1032
diff -u -p -r1.1031 -r1.1032
--- sources 5 Feb 2010 18:25:23 -0000 1.1031
+++ sources 9 Feb 2010 13:45:01 -0000 1.1032
@@ -1,3 +1,2 @@
260551284ac224c3a43c4adac7df4879 linux-2.6.32.tar.bz2
-a68305d3e77dddc9555ba58f678a1ce2 patch-2.6.32.7.bz2
-1fedaaf16da5590829907416d19fb13f patch-2.6.32.8-rc2.bz2
+eabf01da4c72f7ea5b4e4bf8e8535e5f patch-2.6.32.8.bz2
Index: upstream
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-11/upstream,v
retrieving revision 1.942
retrieving revision 1.943
diff -u -p -r1.942 -r1.943
--- upstream 5 Feb 2010 18:25:23 -0000 1.942
+++ upstream 9 Feb 2010 13:45:01 -0000 1.943
@@ -1,3 +1,2 @@
linux-2.6.32.tar.bz2
-patch-2.6.32.7.bz2
-patch-2.6.32.8-rc2.bz2
+patch-2.6.32.8.bz2
--- patch-2.6.32.7.bz2.sign DELETED ---
--- patch-2.6.32.8-rc2.bz2.sign DELETED ---
- Previous message: rpms/openoffice.org/devel workspace.x86_64_bridgefix.patch, NONE, 1.1 openoffice.org.spec, 1.2143, 1.2144
- Next message: rpms/kernel/F-12 futex-handle-user-space-corruption-gracefully.patch, NONE, 1.1 patch-2.6.32.8.bz2.sign, NONE, 1.1 .cvsignore, 1.1146, 1.1147 kernel.spec, 1.2008, 1.2009 sources, 1.1104, 1.1105 upstream, 1.1018, 1.1019 patch-2.6.32.7.bz2.sign, 1.1, NONE patch-2.6.32.8-rc2.bz2.sign, 1.1, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list