Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit ff645d04 authored by Thomas Gleixner's avatar Thomas Gleixner Committed by Ian Maund
Browse files

futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in... 


futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)

If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
then dangling pointers may be left for rt_waiter resulting in an
exploitable condition.

This change brings futex_requeue() into line with
futex_wait_requeue_pi() which performs the same check as per commit
6f7b0a2a (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())

[ tglx: Compare the resulting keys as well, as uaddrs might be
  	different depending on the mapping ]

Fixes CVE-2014-3153.

Reported-by: Pinkie Pie
Signed-off-by: default avatarWill Drewry <wad@chromium.org>
Signed-off-by: default avatarKees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
Git-commit: 5b3bbe42f5874081123fa3aa4dd85d5e5c806f54
Git-repo: https://android.googlesource.com/kernel/common.git


Signed-off-by: default avatarIan Maund <imaund@codeaurora.org>
parent a9bb53f2
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment