diff options
| author | Thomas Gleixner <tglx@linutronix.de> | 2014-06-03 12:27:06 +0000 |
|---|---|---|
| committer | Paul Kocialkowski <contact@paulk.fr> | 2014-07-17 16:50:06 +0200 |
| commit | 3f77878d2e73858ec1a559666aeed198bced6902 (patch) | |
| tree | e9c4be43d140b1d2fd859d4665d43568585e1d51 /arch/ia64/sn | |
| parent | 98aef14b42bb17da3f10f2e68a2b33f3b1e70e0b (diff) | |
| download | kernel_samsung_crespo-3f77878d2e73858ec1a559666aeed198bced6902.zip kernel_samsung_crespo-3f77878d2e73858ec1a559666aeed198bced6902.tar.gz kernel_samsung_crespo-3f77878d2e73858ec1a559666aeed198bced6902.tar.bz2 | |
futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
then dangling pointers may be left for rt_waiter resulting in an
exploitable condition.
This change brings futex_requeue() into line with
futex_wait_requeue_pi() which performs the same check as per commit
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Change-Id: I473bf486ad451de0bfd049a110b69795a6fda451
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'arch/ia64/sn')
0 files changed, 0 insertions, 0 deletions