[meta-freescale] [meta-fsl-ppc][dizzy][PATCH 1/3] futex: CVE-2014-3153

Sona Sarmadi sona.sarmadi at enea.com
Wed Sep 9 04:55:29 PDT 2015 

Prevent requeue pi on same futex

References
http://www.openwall.com/lists/oss-security/2014/06/05/22
https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/
commit/?id=b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42

Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
---
 .../linux/files/futex-CVE-2014-3153.patch          | 89 ++++++++++++++++++++++
 recipes-kernel/linux/linux-qoriq_3.12.bb           |  1 +
 2 files changed, 90 insertions(+)
 create mode 100644 recipes-kernel/linux/files/futex-CVE-2014-3153.patch

diff --git a/recipes-kernel/linux/files/futex-CVE-2014-3153.patch b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch
new file mode 100644
index 0000000..aa37ce2
--- /dev/null
+++ b/recipes-kernel/linux/files/futex-CVE-2014-3153.patch
@@ -0,0 +1,89 @@
+From b9103e5f3a197aec4ec3d78fd5ff2bb74a496b42 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx at linutronix.de>
+Date: Tue, 3 Jun 2014 12:27:06 +0000
+Subject: [PATCH] futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid
+ uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
+
+commit e9c243a5a6de0be8e584c604d353412584b592f8 upstream.
+
+If uaddr == uaddr2, then we have broken the rule of only requeueing from
+a non-pi futex to a pi futex with this call.  If we attempt this, then
+dangling pointers may be left for rt_waiter resulting in an exploitable
+condition.
+
+This change brings futex_requeue() in line with futex_wait_requeue_pi()
+which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
+uaddr == uaddr2 in futex_wait_requeue_pi()")
+
+[ tglx: Compare the resulting keys as well, as uaddrs might be
+  	different depending on the mapping ]
+
+Fixes CVE-2014-3153.
+
+Upstream-Status: Backport
+
+Reported-by: Pinkie Pie
+Signed-off-by: Will Drewry <wad at chromium.org>
+Signed-off-by: Kees Cook <keescook at chromium.org>
+Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
+Reviewed-by: Darren Hart <dvhart at linux.intel.com>
+Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
+Signed-off-by: Jiri Slaby <jslaby at suse.cz>
+Signed-off-by: Sona Sarmadi <sona.sarmadi at enea.com>
+---
+ kernel/futex.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+diff --git a/kernel/futex.c b/kernel/futex.c
+index 6c7975b..ab207d6 100644
+--- a/kernel/futex.c
++++ b/kernel/futex.c
+@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
+ 
+ 	if (requeue_pi) {
+ 		/*
++		 * Requeue PI only works on two distinct uaddrs. This
++		 * check is only valid for private futexes. See below.
++		 */
++		if (uaddr1 == uaddr2)
++			return -EINVAL;
++
++		/*
+ 		 * requeue_pi requires a pi_state, try to allocate it now
+ 		 * without any locks in case it fails.
+ 		 */
+@@ -1332,6 +1339,15 @@ retry:
+ 	if (unlikely(ret != 0))
+ 		goto out_put_key1;
+ 
++	/*
++	 * The check above which compares uaddrs is not sufficient for
++	 * shared futexes. We need to compare the keys:
++	 */
++	if (requeue_pi && match_futex(&key1, &key2)) {
++		ret = -EINVAL;
++		goto out_put_keys;
++	}
++
+ 	hb1 = hash_futex(&key1);
+ 	hb2 = hash_futex(&key2);
+ 
+@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags,
+ 	if (ret)
+ 		goto out_key2;
+ 
++	/*
++	 * The check above which compares uaddrs is not sufficient for
++	 * shared futexes. We need to compare the keys:
++	 */
++	if (match_futex(&q.key, &key2)) {
++		ret = -EINVAL;
++		goto out_put_keys;
++	}
++
+ 	/* Queue the futex_q, drop the hb lock, wait for wakeup. */
+ 	futex_wait_queue_me(hb, &q, to);
+ 
+-- 
+1.9.1
+
diff --git a/recipes-kernel/linux/linux-qoriq_3.12.bb b/recipes-kernel/linux/linux-qoriq_3.12.bb
index de11046..d3510ac 100644
--- a/recipes-kernel/linux/linux-qoriq_3.12.bb
+++ b/recipes-kernel/linux/linux-qoriq_3.12.bb
@@ -29,6 +29,7 @@ SRC_URI = "git://git.freescale.com/ppc/sdk/linux.git;nobranch=1 \
     file://sctp-CVE-2014-7841.patch \
     file://0001-ALSA-CVE-2014-4656.patch \
     file://0002-ALSA-CVE-2014-4656.patch \
+    file://futex-CVE-2014-3153.patch \
 "
 SRCREV = "6619b8b55796cdf0cec04b66a71288edd3057229"
 
-- 
1.9.1

More information about the meta-freescale mailing list