rpms/kernel/F-12 futex-handle-user-space-corruption-gracefully.patch, NONE, 1.1.2.2 kernel.spec, 1.1960.2.14, 1.1960.2.15

Tue Feb 9 13:48:39 UTC 2010

Author: kyle

Update of /cvs/pkgs/rpms/kernel/F-12
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv23823

Modified Files:
      Tag: private-fedora-12-2_6_31
	kernel.spec 
Added Files:
      Tag: private-fedora-12-2_6_31
	futex-handle-user-space-corruption-gracefully.patch 
Log Message:
* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.15
- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
  the PI futex code. (rhbz#563091)


futex-handle-user-space-corruption-gracefully.patch:
 futex.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- NEW FILE futex-handle-user-space-corruption-gracefully.patch ---
>From 15068e24831bdc61b0cbaa215698fa7553a4a038 Mon Sep 17 00:00:00 2001
From: Thomas Gleixner <tglx at linutronix.de>
Date: Tue, 2 Feb 2010 11:40:27 +0100
Subject: [PATCH] futex: Handle user space corruption gracefully

If the owner of a PI futex dies we fix up the pi_state and set
pi_state->owner to NULL. When a malicious or just sloppy programmed
user space application sets the futex value to 0 e.g. by calling
pthread_mutex_init(), then the futex can be acquired again. A new
waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.

Prevent this by checking pi_state->owner in the unlock path. If
pi_state->owner is not current we know that user space manipulated the
futex value. Ignore the mess and return -EINVAL.

This catches the above case and also the case where a task hijacks the
futex by setting the tid value and then tries to unlock it.

Reported-by: Jermome Marchand <jmarchan at redhat.com>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
Acked-by: Darren Hart <dvhltc at us.ibm.com>
Acked-by: Peter Zijlstra <a.p.zijlstra at chello.nl>
Cc: <stable at kernel.org>
---
 kernel/futex.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index ba7f0be..4f3a5ef 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -759,6 +759,13 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
 	if (!pi_state)
 		return -EINVAL;
 
+	/*
+	 * If current does not own the pi_state then the futex is
+	 * inconsistent and user space fiddled with the futex value.
+	 */
+	if (pi_state->owner != current)
+		return -EINVAL;
+
 	spin_lock(&pi_state->pi_mutex.wait_lock);
 	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);
 
-- 
1.6.6



Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/F-12/kernel.spec,v
retrieving revision 1.1960.2.14
retrieving revision 1.1960.2.15
diff -u -p -r1.1960.2.14 -r1.1960.2.15
--- kernel.spec	8 Feb 2010 00:21:57 -0000	1.1960.2.14
+++ kernel.spec	9 Feb 2010 13:48:39 -0000	1.1960.2.15
@@ -835,6 +835,8 @@ Patch16550: fix-crash-with-sys_move_page
 
 Patch16560: quota-remove-dquot_claim_space-warning.patch
 
+Patch16570: futex-handle-user-space-corruption-gracefully.patch
+
 %endif
 
 BuildRoot: %{_tmppath}/kernel-%{KVERREL}-root
@@ -1556,6 +1558,7 @@ ApplyPatch connector-delete-buggy-notifi
 ApplyPatch fix-crash-with-sys_move_pages.patch
 
 # ApplyPatch quota-remove-dquot_claim_space-warning.patch
+ApplyPatch futex-handle-user-space-corruption-gracefully.patch
 
 # END OF PATCH APPLICATIONS
 
@@ -2206,6 +2209,10 @@ fi
 # and build.
 
 %changelog
+* Tue Feb 09 2010 Kyle McMartin <kyle at redhat.com> 2.6.31.12-174.2.15
+- futex-handle-user-space-corruption-gracefully.patch: Fix oops in
+  the PI futex code. (rhbz#563091)
+
 * Sun Feb 07 2010 Kyle McMartin <kyle at redhat.com>
 - ext4-fix-dq_claim_space.patch: try to fix the quota WARN_ON that's currently
   spamming kerneloops for reals.

