git.openpandora.org
/
pandora-kernel.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
| inline |
side by side
(from parent 1:
39a3400
)
futex: Prevent overflow by strengthen input validation
author
Li Jinyue
<lijinyue@huawei.com>
Thu, 14 Dec 2017 09:04:54 +0000
(17:04 +0800)
committer
Ben Hutchings
<ben@decadent.org.uk>
Sat, 3 Mar 2018 15:50:58 +0000
(15:50 +0000)
commit
fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a
upstream.
UBSAN reports signed integer overflow in kernel/futex.c:
UBSAN: Undefined behaviour in kernel/futex.c:2041:18
signed integer overflow:
0 - -
2147483648
cannot be represented in type 'int'
Add a sanity check to catch negative values of nr_wake and nr_requeue.
Signed-off-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Cc: dvhart@infradead.org
Link:
https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
kernel/futex.c
patch
|
blob
|
history
diff --git
a/kernel/futex.c
b/kernel/futex.c
index
3854e75
..
5e48378
100644
(file)
--- a/
kernel/futex.c
+++ b/
kernel/futex.c
@@
-1376,6
+1376,9
@@
static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
struct plist_head *head1;
struct futex_q *this, *next;
+ if (nr_wake < 0 || nr_requeue < 0)
+ return -EINVAL;
+
if (requeue_pi) {
/*
* Requeue PI only works on two distinct uaddrs. This