rpms/kernel/F-12 futex-handle-user-space-corruption-gracefully.patch, NONE, 1.1.2.2 kernel.spec, 1.1960.2.14, 1.1960.2.15
Kyle McMartin
kyle at fedoraproject.org
Tue Feb 9 13:48:39 UTC 2010
- Previous message: comps comps-f13.xml.in,1.156,1.157
- Next message: rpms/hwbrowser/devel dead.package, NONE, 1.1 Makefile, 1.3, NONE hwbrowser.spec, 1.59, NONE sources, 1.50, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: kyle
Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23823
Modified Files:
Tag: private-fedora-12-2_6_31
kernel.spec
Added Files:
Tag: private-fedora-12-2_6_31
futex-handle-user-space-corruption-gracefully.patch
Log Message:
* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.15
- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
the PI futex code. (rhbz#563091)
futex-handle-user-space-corruption-gracefully.patch:
futex.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- NEW FILE futex-handle-user-space-corruption-gracefully.patch ---
>From 15068e24831bdc61b0cbaa215698fa7553a4a038 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx at linutronix.de>
Date: Tue, 2 Feb 2010 11:40:27 +0100
Subject: [PATCH] futex: Handle user space corruption gracefully
If the owner of a PI futex dies we fix up the pi_state and set
pi_state->owner to NULL. When a malicious or just sloppy programmed
user space application sets the futex value to 0 e.g. by calling
pthread_mutex_init(), then the futex can be acquired again. A new
waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.
Prevent this by checking pi_state->owner in the unlock path. If
pi_state->owner is not current we know that user space manipulated the
futex value. Ignore the mess and return -EINVAL.
This catches the above case and also the case where a task hijacks the
futex by setting the tid value and then tries to unlock it.
Reported-by: Jermome Marchand <jmarchan at redhat.com>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Acked-by: Darren Hart <dvhltc at us.ibm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
Cc: <stable at kernel.org>
---
kernel/futex.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index ba7f0be..4f3a5ef 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -759,6 +759,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
if (!pi_state)
return -EINVAL;
+ /*
+ * If current does not own the pi_state then the futex is
+ * inconsistent and user space fiddled with the futex value.
+ */
+ if (pi_state->owner != current)
+ return -EINVAL;
+
spin_lock(&pi_state->pi_mutex.wait_lock);
new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
--
1.6.6
Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1960.2.14
retrieving revision 1.1960.2.15
diff -u -p -r1.1960.2.14 -r1.1960.2.15
--- kernel.spec 8 Feb 2010 00:21:57 -0000 1.1960.2.14
+++ kernel.spec 9 Feb 2010 13:48:39 -0000 1.1960.2.15
@@ -835,6 +835,8 @@ Patch16550: fix-crash-with-sys_move_page
Patch16560: quota-remove-dquot_claim_space-warning.patch
+Patch16570: futex-handle-user-space-corruption-gracefully.patch
+
%endif
BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1556,6 +1558,7 @@ ApplyPatch connector-delete-buggy-notifi
ApplyPatch fix-crash-with-sys_move_pages.patch
# ApplyPatch quota-remove-dquot_claim_space-warning.patch
+ApplyPatch futex-handle-user-space-corruption-gracefully.patch
# END OF PATCH APPLICATIONS
@@ -2206,6 +2209,10 @@ fi
# and build.
%changelog
+* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.15
+- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
+ the PI futex code. (rhbz#563091)
+
* Sun Feb 07 2010 Kyle McMartin <kyle at redhat.com>
- ext4-fix-dq_claim_space.patch: try to fix the quota WARN_ON that's currently
spamming kerneloops for reals.
- Previous message: comps comps-f13.xml.in,1.156,1.157
- Next message: rpms/hwbrowser/devel dead.package, NONE, 1.1 Makefile, 1.3, NONE hwbrowser.spec, 1.59, NONE sources, 1.50, NONE
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list