Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 29 Jun 2021 20:24:31 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: f82ccb6f5974 - releng/11.4 - linux(4): Prevent integer overflow in futex_requeue.
Message-ID:  <202106292024.15TKOVEH007512@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch releng/11.4 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=f82ccb6f5974f0aae5957e47901476bfeb2a5387

commit f82ccb6f5974f0aae5957e47901476bfeb2a5387
Author:     Dmitry Chagin <dchagin@FreeBSD.org>
AuthorDate: 2021-06-10 11:23:11 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2021-06-29 19:59:59 +0000

    linux(4): Prevent integer overflow in futex_requeue.
    
    To prevent a signed integer overflow in futex_requeue add a sanity check
    to catch negative values of nrwake or nrrequeue.
    
    Approved by:    so
    Security:       EN-21:22.linux_futex
    
    (cherry picked from commit 25b09d6f398ea8a260ee8e2e8209fd76c61e13ee)
    (cherry picked from commit f80ee27f447abc7baeb413cc0a7b7c21f9d32f8b)
---
 sys/compat/linux/linux_futex.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/sys/compat/linux/linux_futex.c b/sys/compat/linux/linux_futex.c
index 686d2f7d2ec7..0be0483f4496 100644
--- a/sys/compat/linux/linux_futex.c
+++ b/sys/compat/linux/linux_futex.c
@@ -596,18 +596,19 @@ futex_wake(struct futex *f, int n, uint32_t bitset)
 }
 
 static int
-futex_requeue(struct futex *f, int n, struct futex *f2, int n2)
+futex_requeue(struct futex *f, int nrwake, struct futex *f2,
+    int nrrequeue)
 {
 	struct waiting_proc *wp, *wpt;
 	int count = 0;
 
-	LIN_SDT_PROBE4(futex, futex_requeue, entry, f, n, f2, n2);
+	LIN_SDT_PROBE4(futex, futex_requeue, entry, f, nrwake, f2, nrrequeue);
 
 	FUTEX_ASSERT_LOCKED(f);
 	FUTEX_ASSERT_LOCKED(f2);
 
 	TAILQ_FOREACH_SAFE(wp, &f->f_waiting_proc, wp_list, wpt) {
-		if (++count <= n) {
+		if (++count <= nrwake) {
 			LINUX_CTR2(sys_futex, "futex_req_wake uaddr %p wp %p",
 			    f->f_uaddr, wp);
 			wp->wp_flags |= FUTEX_WP_REMOVED;
@@ -633,7 +634,7 @@ futex_requeue(struct futex *f, int n, struct futex *f2, int n2)
 			FUTEXES_LOCK;
 			++f2->f_refcount;
 			FUTEXES_UNLOCK;
-			if (count - n >= n2)
+			if (count - nrwake >= nrrequeue)
 				break;
 		}
 	}
@@ -744,7 +745,7 @@ futex_atomic_op(struct thread *td, int encoded_op, uint32_t *uaddr)
 int
 linux_sys_futex(struct thread *td, struct linux_sys_futex_args *args)
 {
-	int clockrt, nrwake, op_ret, ret;
+	int clockrt, nrwake, nrrequeue, op_ret, ret;
 	struct linux_pemuldata *pem;
 	struct waiting_proc *wp;
 	struct futex *f, *f2;
@@ -888,6 +889,15 @@ retry0:
 			return (EINVAL);
 		}
 
+		nrrequeue = (int)(unsigned long)args->timeout;
+		nrwake = args->val;
+		/*
+		 * Sanity check to prevent signed integer overflow,
+		 * see Linux CVE-2018-6927
+		 */
+		if (nrwake < 0 || nrrequeue < 0)
+			return (EINVAL);
+
 retry1:
 		error = futex_get(args->uaddr, NULL, &f, flags | FUTEX_DONTLOCK);
 		if (error) {
@@ -938,8 +948,7 @@ retry1:
 			return (EAGAIN);
 		}
 
-		nrwake = (int)(unsigned long)args->timeout;
-		td->td_retval[0] = futex_requeue(f, args->val, f2, nrwake);
+		td->td_retval[0] = futex_requeue(f, nrwake, f2, nrrequeue);
 		futex_put(f2, NULL);
 		futex_put(f, NULL);
 		break;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202106292024.15TKOVEH007512>