diff options
| author | Stevan Marinkovic <stevan.marinkovic@imgtec.com> | 2015-11-19 15:38:02 +0100 |
|---|---|---|
| committer | Ziyan <jaraidaniel@gmail.com> | 2016-03-11 16:09:09 +0100 |
| commit | 4473a5cae71c7326f269eaa3ade9fa05b9929f8f (patch) | |
| tree | 3f32262ef22c7a00aba7fe247f74d26a06297f05 /kernel | |
| parent | 5aba133c00683295b1f9b4ae0561cfed95ebd68a (diff) | |
| download | kernel_samsung_espresso10-4473a5cae71c7326f269eaa3ade9fa05b9929f8f.zip kernel_samsung_espresso10-4473a5cae71c7326f269eaa3ade9fa05b9929f8f.tar.gz kernel_samsung_espresso10-4473a5cae71c7326f269eaa3ade9fa05b9929f8f.tar.bz2 | |
Fix security issues reported by the android.security CTS
package
Contains following upstream changes:
a134f083e79fb4c3d0a925691e732c56911b4326
ipv4: Missing sk_nulls_node_init() in ping_unhash().
8176cced706b5e5d15887584150764894e94e02f
perf: Treat attr.config as u64 in perf_swevent_init()
e9c243a5a6de0be8e584c604d353412584b592f8
futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid...
6f7b0a2a5c0fb03be7c25bd1745baa50582348ef
futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi()
Fixes CTS tests:
android.security.cts.NativeCodeTest#testFutex
android.security.cts.NativeCodeTest#testPerfEvent
android.security.cts.NativeCodeTest#testPingPongRoot
Change-Id: Ib9d389c875935e9eb9611be4fc11911383f627fc
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/futex.c | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/kernel/futex.c b/kernel/futex.c index d38153d..c7c19cb 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -1272,6 +1272,13 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, if (requeue_pi) { /* + * Requeue PI only works on two distinct uaddrs. This + * check is only valid for private futexes. See below. + */ + if (uaddr1 == uaddr2) + return -EINVAL; + + /* * requeue_pi requires a pi_state, try to allocate it now * without any locks in case it fails. */ @@ -1309,6 +1316,15 @@ retry: if (unlikely(ret != 0)) goto out_put_key1; + /* + * The check above which compares uaddrs is not sufficient for + * shared futexes. We need to compare the keys: + */ + if (requeue_pi && match_futex(&key1, &key2)) { + ret = -EINVAL; + goto out_put_keys; + } + hb1 = hash_futex(&key1); hb2 = hash_futex(&key2); @@ -2331,6 +2347,15 @@ static int futex_wait_requeue_pi(u32 __user *uaddr, unsigned int flags, if (ret) goto out_key2; + /* + * The check above which compares uaddrs is not sufficient for + * shared futexes. We need to compare the keys: + */ + if (match_futex(&q.key, &key2)) { + ret = -EINVAL; + goto out_put_keys; + } + /* Queue the futex_q, drop the hb lock, wait for wakeup. */ futex_wait_queue_me(hb, &q, to); |