1 |
Author: tomwij |
2 |
Date: 2014-06-05 23:59:56 +0000 (Thu, 05 Jun 2014) |
3 |
New Revision: 2808 |
4 |
|
5 |
Added: |
6 |
genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch |
7 |
genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch |
8 |
genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
9 |
genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
10 |
genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
11 |
genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch |
12 |
genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch |
13 |
genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch |
14 |
genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
15 |
genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
16 |
genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
17 |
genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch |
18 |
Modified: |
19 |
genpatches-2.6/trunk/3.10/0000_README |
20 |
genpatches-2.6/trunk/3.14/0000_README |
21 |
Log: |
22 |
CVE-2014-3153 |
23 |
|
24 |
Modified: genpatches-2.6/trunk/3.10/0000_README |
25 |
=================================================================== |
26 |
--- genpatches-2.6/trunk/3.10/0000_README 2014-06-05 22:22:47 UTC (rev 2807) |
27 |
+++ genpatches-2.6/trunk/3.10/0000_README 2014-06-05 23:59:56 UTC (rev 2808) |
28 |
@@ -214,6 +214,30 @@ |
29 |
From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d |
30 |
Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types |
31 |
|
32 |
+Patch: 1501-futex-add-another-early-deadlock-detection-check.patch |
33 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f |
34 |
+Desc: CVE-2014-3153 |
35 |
+ |
36 |
+Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch |
37 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a |
38 |
+Desc: CVE-2014-3153 |
39 |
+ |
40 |
+Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
41 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8 |
42 |
+Desc: CVE-2014-3153 |
43 |
+ |
44 |
+Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
45 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 |
46 |
+Desc: CVE-2014-3153 |
47 |
+ |
48 |
+Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
49 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e |
50 |
+Desc: CVE-2014-3153 |
51 |
+ |
52 |
+Patch: 1506-futex-make-lookup_pi_state-more-robust.patch |
53 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339 |
54 |
+Desc: CVE-2014-3153 |
55 |
+ |
56 |
Patch: 1700_enable-thinkpad-micled.patch |
57 |
From: https://bugs.gentoo.org/show_bug.cgi?id=449248 |
58 |
Desc: Enable mic mute led in thinkpads |
59 |
|
60 |
Added: genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch |
61 |
=================================================================== |
62 |
--- genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch (rev 0) |
63 |
+++ genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-05 23:59:56 UTC (rev 2808) |
64 |
@@ -0,0 +1,160 @@ |
65 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
66 |
+Date: Mon, 12 May 2014 20:45:34 +0000 |
67 |
+Subject: futex: Add another early deadlock detection check |
68 |
+Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f |
69 |
+ |
70 |
+Dave Jones trinity syscall fuzzer exposed an issue in the deadlock |
71 |
+detection code of rtmutex: |
72 |
+ http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com |
73 |
+ |
74 |
+That underlying issue has been fixed with a patch to the rtmutex code, |
75 |
+but the futex code must not call into rtmutex in that case because |
76 |
+ - it can detect that issue early |
77 |
+ - it avoids a different and more complex fixup for backing out |
78 |
+ |
79 |
+If the user space variable got manipulated to 0x80000000 which means |
80 |
+no lock holder, but the waiters bit set and an active pi_state in the |
81 |
+kernel is found we can figure out the recursive locking issue by |
82 |
+looking at the pi_state owner. If that is the current task, then we |
83 |
+can safely return -EDEADLK. |
84 |
+ |
85 |
+The check should have been added in commit 59fa62451 (futex: Handle |
86 |
+futex_pi OWNER_DIED take over correctly) already, but I did not see |
87 |
+the above issue caused by user space manipulation back then. |
88 |
+ |
89 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
90 |
+Cc: Dave Jones <davej@××××××.com> |
91 |
+Cc: Linus Torvalds <torvalds@××××××××××××××××.org> |
92 |
+Cc: Peter Zijlstra <peterz@×××××××××.org> |
93 |
+Cc: Darren Hart <darren@××××××.com> |
94 |
+Cc: Davidlohr Bueso <davidlohr@××.com> |
95 |
+Cc: Steven Rostedt <rostedt@×××××××.org> |
96 |
+Cc: Clark Williams <williams@××××××.com> |
97 |
+Cc: Paul McKenney <paulmck@××××××××××××××.com> |
98 |
+Cc: Lai Jiangshan <laijs@××××××××××.com> |
99 |
+Cc: Roland McGrath <roland@×××××××××.com> |
100 |
+Cc: Carlos ODonell <carlos@××××××.com> |
101 |
+Cc: Jakub Jelinek <jakub@××××××.com> |
102 |
+Cc: Michael Kerrisk <mtk.manpages@×××××.com> |
103 |
+Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de> |
104 |
+Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de |
105 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
106 |
+Cc: stable@×××××××××××.org |
107 |
+--- |
108 |
+ kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++------------- |
109 |
+ 1 file changed, 34 insertions(+), 13 deletions(-) |
110 |
+ |
111 |
+Index: linux-3.12/kernel/futex.c |
112 |
+=================================================================== |
113 |
+--- linux-3.12.orig/kernel/futex.c |
114 |
++++ linux-3.12/kernel/futex.c |
115 |
+@@ -596,7 +596,8 @@ void exit_pi_state_list(struct task_stru |
116 |
+ |
117 |
+ static int |
118 |
+ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, |
119 |
+- union futex_key *key, struct futex_pi_state **ps) |
120 |
++ union futex_key *key, struct futex_pi_state **ps, |
121 |
++ struct task_struct *task) |
122 |
+ { |
123 |
+ struct futex_pi_state *pi_state = NULL; |
124 |
+ struct futex_q *this, *next; |
125 |
+@@ -640,6 +641,16 @@ lookup_pi_state(u32 uval, struct futex_h |
126 |
+ return -EINVAL; |
127 |
+ } |
128 |
+ |
129 |
++ /* |
130 |
++ * Protect against a corrupted uval. If uval |
131 |
++ * is 0x80000000 then pid is 0 and the waiter |
132 |
++ * bit is set. So the deadlock check in the |
133 |
++ * calling code has failed and we did not fall |
134 |
++ * into the check above due to !pid. |
135 |
++ */ |
136 |
++ if (task && pi_state->owner == task) |
137 |
++ return -EDEADLK; |
138 |
++ |
139 |
+ atomic_inc(&pi_state->refcount); |
140 |
+ *ps = pi_state; |
141 |
+ |
142 |
+@@ -789,7 +800,7 @@ retry: |
143 |
+ * We dont have the lock. Look up the PI state (or create it if |
144 |
+ * we are the first waiter): |
145 |
+ */ |
146 |
+- ret = lookup_pi_state(uval, hb, key, ps); |
147 |
++ ret = lookup_pi_state(uval, hb, key, ps, task); |
148 |
+ |
149 |
+ if (unlikely(ret)) { |
150 |
+ switch (ret) { |
151 |
+@@ -1199,7 +1210,7 @@ void requeue_pi_wake_futex(struct futex_ |
152 |
+ * |
153 |
+ * Return: |
154 |
+ * 0 - failed to acquire the lock atomically; |
155 |
+- * 1 - acquired the lock; |
156 |
++ * >0 - acquired the lock, return value is vpid of the top_waiter |
157 |
+ * <0 - error |
158 |
+ */ |
159 |
+ static int futex_proxy_trylock_atomic(u32 __user *pifutex, |
160 |
+@@ -1210,7 +1221,7 @@ static int futex_proxy_trylock_atomic(u3 |
161 |
+ { |
162 |
+ struct futex_q *top_waiter = NULL; |
163 |
+ u32 curval; |
164 |
+- int ret; |
165 |
++ int ret, vpid; |
166 |
+ |
167 |
+ if (get_futex_value_locked(&curval, pifutex)) |
168 |
+ return -EFAULT; |
169 |
+@@ -1238,11 +1249,13 @@ static int futex_proxy_trylock_atomic(u3 |
170 |
+ * the contended case or if set_waiters is 1. The pi_state is returned |
171 |
+ * in ps in contended cases. |
172 |
+ */ |
173 |
++ vpid = task_pid_vnr(top_waiter->task); |
174 |
+ ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, |
175 |
+ set_waiters); |
176 |
+- if (ret == 1) |
177 |
++ if (ret == 1) { |
178 |
+ requeue_pi_wake_futex(top_waiter, key2, hb2); |
179 |
+- |
180 |
++ return vpid; |
181 |
++ } |
182 |
+ return ret; |
183 |
+ } |
184 |
+ |
185 |
+@@ -1274,7 +1287,6 @@ static int futex_requeue(u32 __user *uad |
186 |
+ struct futex_hash_bucket *hb1, *hb2; |
187 |
+ struct plist_head *head1; |
188 |
+ struct futex_q *this, *next; |
189 |
+- u32 curval2; |
190 |
+ |
191 |
+ if (requeue_pi) { |
192 |
+ /* |
193 |
+@@ -1360,16 +1372,25 @@ retry_private: |
194 |
+ * At this point the top_waiter has either taken uaddr2 or is |
195 |
+ * waiting on it. If the former, then the pi_state will not |
196 |
+ * exist yet, look it up one more time to ensure we have a |
197 |
+- * reference to it. |
198 |
++ * reference to it. If the lock was taken, ret contains the |
199 |
++ * vpid of the top waiter task. |
200 |
+ */ |
201 |
+- if (ret == 1) { |
202 |
++ if (ret > 0) { |
203 |
+ WARN_ON(pi_state); |
204 |
+ drop_count++; |
205 |
+ task_count++; |
206 |
+- ret = get_futex_value_locked(&curval2, uaddr2); |
207 |
+- if (!ret) |
208 |
+- ret = lookup_pi_state(curval2, hb2, &key2, |
209 |
+- &pi_state); |
210 |
++ /* |
211 |
++ * If we acquired the lock, then the user |
212 |
++ * space value of uaddr2 should be vpid. It |
213 |
++ * cannot be changed by the top waiter as it |
214 |
++ * is blocked on hb2 lock if it tries to do |
215 |
++ * so. If something fiddled with it behind our |
216 |
++ * back the pi state lookup might unearth |
217 |
++ * it. So we rather use the known value than |
218 |
++ * rereading and handing potential crap to |
219 |
++ * lookup_pi_state. |
220 |
++ */ |
221 |
++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); |
222 |
+ } |
223 |
+ |
224 |
+ switch (ret) { |
225 |
|
226 |
Added: genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch |
227 |
=================================================================== |
228 |
--- genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch (rev 0) |
229 |
+++ genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-05 23:59:56 UTC (rev 2808) |
230 |
@@ -0,0 +1,52 @@ |
231 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
232 |
+Date: Mon, 12 May 2014 20:45:35 +0000 |
233 |
+Subject: futex: Prevent attaching to kernel threads |
234 |
+Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a |
235 |
+ |
236 |
+We happily allow userspace to declare a random kernel thread to be the |
237 |
+owner of a user space PI futex. |
238 |
+ |
239 |
+Found while analysing the fallout of Dave Jones syscall fuzzer. |
240 |
+ |
241 |
+We also should validate the thread group for private futexes and find |
242 |
+some fast way to validate whether the "alleged" owner has RW access on |
243 |
+the file which backs the SHM, but that's a separate issue. |
244 |
+ |
245 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
246 |
+Cc: Dave Jones <davej@××××××.com> |
247 |
+Cc: Linus Torvalds <torvalds@××××××××××××××××.org> |
248 |
+Cc: Peter Zijlstra <peterz@×××××××××.org> |
249 |
+Cc: Darren Hart <darren@××××××.com> |
250 |
+Cc: Davidlohr Bueso <davidlohr@××.com> |
251 |
+Cc: Steven Rostedt <rostedt@×××××××.org> |
252 |
+Cc: Clark Williams <williams@××××××.com> |
253 |
+Cc: Paul McKenney <paulmck@××××××××××××××.com> |
254 |
+Cc: Lai Jiangshan <laijs@××××××××××.com> |
255 |
+Cc: Roland McGrath <roland@×××××××××.com> |
256 |
+Cc: Carlos ODonell <carlos@××××××.com> |
257 |
+Cc: Jakub Jelinek <jakub@××××××.com> |
258 |
+Cc: Michael Kerrisk <mtk.manpages@×××××.com> |
259 |
+Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de> |
260 |
+Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de |
261 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
262 |
+Cc: stable@×××××××××××.org |
263 |
+--- |
264 |
+ kernel/futex.c | 5 +++++ |
265 |
+ 1 file changed, 5 insertions(+) |
266 |
+ |
267 |
+Index: linux-3.12/kernel/futex.c |
268 |
+=================================================================== |
269 |
+--- linux-3.12.orig/kernel/futex.c |
270 |
++++ linux-3.12/kernel/futex.c |
271 |
+@@ -668,6 +668,11 @@ lookup_pi_state(u32 uval, struct futex_h |
272 |
+ if (!p) |
273 |
+ return -ESRCH; |
274 |
+ |
275 |
++ if (!p->mm) { |
276 |
++ put_task_struct(p); |
277 |
++ return -EPERM; |
278 |
++ } |
279 |
++ |
280 |
+ /* |
281 |
+ * We need to look at the task state flags to figure out, |
282 |
+ * whether the task is exiting. To protect against the do_exit |
283 |
|
284 |
Added: genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
285 |
=================================================================== |
286 |
--- genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch (rev 0) |
287 |
+++ genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-05 23:59:56 UTC (rev 2808) |
288 |
@@ -0,0 +1,81 @@ |
289 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
290 |
+Date: Tue, 3 Jun 2014 12:27:06 +0000 |
291 |
+Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == |
292 |
+ uaddr2 in futex_requeue(..., requeue_pi=1) |
293 |
+Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8 |
294 |
+ |
295 |
+If uaddr == uaddr2, then we have broken the rule of only requeueing from |
296 |
+a non-pi futex to a pi futex with this call. If we attempt this, then |
297 |
+dangling pointers may be left for rt_waiter resulting in an exploitable |
298 |
+condition. |
299 |
+ |
300 |
+This change brings futex_requeue() in line with futex_wait_requeue_pi() |
301 |
+which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid |
302 |
+uaddr == uaddr2 in futex_wait_requeue_pi()") |
303 |
+ |
304 |
+[ tglx: Compare the resulting keys as well, as uaddrs might be |
305 |
+ different depending on the mapping ] |
306 |
+ |
307 |
+Fixes CVE-2014-3153. |
308 |
+ |
309 |
+Reported-by: Pinkie Pie |
310 |
+Signed-off-by: Will Drewry <wad@××××××××.org> |
311 |
+Signed-off-by: Kees Cook <keescook@××××××××.org> |
312 |
+Cc: stable@×××××××××××.org |
313 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
314 |
+Reviewed-by: Darren Hart <dvhart@×××××××××××.com> |
315 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
316 |
+--- |
317 |
+ kernel/futex.c | 25 +++++++++++++++++++++++++ |
318 |
+ 1 file changed, 25 insertions(+) |
319 |
+ |
320 |
+Index: linux-3.12/kernel/futex.c |
321 |
+=================================================================== |
322 |
+--- linux-3.12.orig/kernel/futex.c |
323 |
++++ linux-3.12/kernel/futex.c |
324 |
+@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uad |
325 |
+ |
326 |
+ if (requeue_pi) { |
327 |
+ /* |
328 |
++ * Requeue PI only works on two distinct uaddrs. This |
329 |
++ * check is only valid for private futexes. See below. |
330 |
++ */ |
331 |
++ if (uaddr1 == uaddr2) |
332 |
++ return -EINVAL; |
333 |
++ |
334 |
++ /* |
335 |
+ * requeue_pi requires a pi_state, try to allocate it now |
336 |
+ * without any locks in case it fails. |
337 |
+ */ |
338 |
+@@ -1332,6 +1339,15 @@ retry: |
339 |
+ if (unlikely(ret != 0)) |
340 |
+ goto out_put_key1; |
341 |
+ |
342 |
++ /* |
343 |
++ * The check above which compares uaddrs is not sufficient for |
344 |
++ * shared futexes. We need to compare the keys: |
345 |
++ */ |
346 |
++ if (requeue_pi && match_futex(&key1, &key2)) { |
347 |
++ ret = -EINVAL; |
348 |
++ goto out_put_keys; |
349 |
++ } |
350 |
++ |
351 |
+ hb1 = hash_futex(&key1); |
352 |
+ hb2 = hash_futex(&key2); |
353 |
+ |
354 |
+@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __u |
355 |
+ if (ret) |
356 |
+ goto out_key2; |
357 |
+ |
358 |
++ /* |
359 |
++ * The check above which compares uaddrs is not sufficient for |
360 |
++ * shared futexes. We need to compare the keys: |
361 |
++ */ |
362 |
++ if (match_futex(&q.key, &key2)) { |
363 |
++ ret = -EINVAL; |
364 |
++ goto out_put_keys; |
365 |
++ } |
366 |
++ |
367 |
+ /* Queue the futex_q, drop the hb lock, wait for wakeup. */ |
368 |
+ futex_wait_queue_me(hb, &q, to); |
369 |
+ |
370 |
|
371 |
Added: genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
372 |
=================================================================== |
373 |
--- genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch (rev 0) |
374 |
+++ genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-05 23:59:56 UTC (rev 2808) |
375 |
@@ -0,0 +1,53 @@ |
376 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
377 |
+Date: Tue, 3 Jun 2014 12:27:06 +0000 |
378 |
+Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic() |
379 |
+Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 |
380 |
+ |
381 |
+We need to protect the atomic acquisition in the kernel against rogue |
382 |
+user space which sets the user space futex to 0, so the kernel side |
383 |
+acquisition succeeds while there is existing state in the kernel |
384 |
+associated to the real owner. |
385 |
+ |
386 |
+Verify whether the futex has waiters associated with kernel state. If |
387 |
+it has, return -EINVAL. The state is corrupted already, so no point in |
388 |
+cleaning it up. Subsequent calls will fail as well. Not our problem. |
389 |
+ |
390 |
+[ tglx: Use futex_top_waiter() and explain why we do not need to try |
391 |
+ restoring the already corrupted user space state. ] |
392 |
+ |
393 |
+Signed-off-by: Darren Hart <dvhart@×××××××××××.com> |
394 |
+Cc: Kees Cook <keescook@××××××××.org> |
395 |
+Cc: Will Drewry <wad@××××××××.org> |
396 |
+Cc: stable@×××××××××××.org |
397 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
398 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
399 |
+--- |
400 |
+ kernel/futex.c | 14 +++++++++++--- |
401 |
+ 1 file changed, 11 insertions(+), 3 deletions(-) |
402 |
+ |
403 |
+Index: linux-3.12/kernel/futex.c |
404 |
+=================================================================== |
405 |
+--- linux-3.12.orig/kernel/futex.c |
406 |
++++ linux-3.12/kernel/futex.c |
407 |
+@@ -764,10 +764,18 @@ retry: |
408 |
+ return -EDEADLK; |
409 |
+ |
410 |
+ /* |
411 |
+- * Surprise - we got the lock. Just return to userspace: |
412 |
++ * Surprise - we got the lock, but we do not trust user space at all. |
413 |
+ */ |
414 |
+- if (unlikely(!curval)) |
415 |
+- return 1; |
416 |
++ if (unlikely(!curval)) { |
417 |
++ /* |
418 |
++ * We verify whether there is kernel state for this |
419 |
++ * futex. If not, we can safely assume, that the 0 -> |
420 |
++ * TID transition is correct. If state exists, we do |
421 |
++ * not bother to fixup the user space state as it was |
422 |
++ * corrupted already. |
423 |
++ */ |
424 |
++ return futex_top_waiter(hb, key) ? -EINVAL : 1; |
425 |
++ } |
426 |
+ |
427 |
+ uval = curval; |
428 |
+ |
429 |
|
430 |
Added: genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
431 |
=================================================================== |
432 |
--- genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch (rev 0) |
433 |
+++ genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-05 23:59:56 UTC (rev 2808) |
434 |
@@ -0,0 +1,99 @@ |
435 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
436 |
+Date: Tue, 3 Jun 2014 12:27:07 +0000 |
437 |
+Subject: futex: Always cleanup owner tid in unlock_pi |
438 |
+Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e |
439 |
+ |
440 |
+If the owner died bit is set at futex_unlock_pi, we currently do not |
441 |
+cleanup the user space futex. So the owner TID of the current owner |
442 |
+(the unlocker) persists. That's observable inconsistant state, |
443 |
+especially when the ownership of the pi state got transferred. |
444 |
+ |
445 |
+Clean it up unconditionally. |
446 |
+ |
447 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
448 |
+Cc: Kees Cook <keescook@××××××××.org> |
449 |
+Cc: Will Drewry <wad@××××××××.org> |
450 |
+Cc: Darren Hart <dvhart@×××××××××××.com> |
451 |
+Cc: stable@×××××××××××.org |
452 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
453 |
+--- |
454 |
+ kernel/futex.c | 40 ++++++++++++++++++---------------------- |
455 |
+ 1 file changed, 18 insertions(+), 22 deletions(-) |
456 |
+ |
457 |
+Index: linux-3.12/kernel/futex.c |
458 |
+=================================================================== |
459 |
+--- linux-3.12.orig/kernel/futex.c |
460 |
++++ linux-3.12/kernel/futex.c |
461 |
+@@ -905,6 +905,7 @@ static int wake_futex_pi(u32 __user *uad |
462 |
+ struct task_struct *new_owner; |
463 |
+ struct futex_pi_state *pi_state = this->pi_state; |
464 |
+ u32 uninitialized_var(curval), newval; |
465 |
++ int ret = 0; |
466 |
+ |
467 |
+ if (!pi_state) |
468 |
+ return -EINVAL; |
469 |
+@@ -928,23 +929,19 @@ static int wake_futex_pi(u32 __user *uad |
470 |
+ new_owner = this->task; |
471 |
+ |
472 |
+ /* |
473 |
+- * We pass it to the next owner. (The WAITERS bit is always |
474 |
+- * kept enabled while there is PI state around. We must also |
475 |
+- * preserve the owner died bit.) |
476 |
+- */ |
477 |
+- if (!(uval & FUTEX_OWNER_DIED)) { |
478 |
+- int ret = 0; |
479 |
+- |
480 |
+- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); |
481 |
+- |
482 |
+- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) |
483 |
+- ret = -EFAULT; |
484 |
+- else if (curval != uval) |
485 |
+- ret = -EINVAL; |
486 |
+- if (ret) { |
487 |
+- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); |
488 |
+- return ret; |
489 |
+- } |
490 |
++ * We pass it to the next owner. The WAITERS bit is always |
491 |
++ * kept enabled while there is PI state around. We cleanup the |
492 |
++ * owner died bit, because we are the owner. |
493 |
++ */ |
494 |
++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); |
495 |
++ |
496 |
++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) |
497 |
++ ret = -EFAULT; |
498 |
++ else if (curval != uval) |
499 |
++ ret = -EINVAL; |
500 |
++ if (ret) { |
501 |
++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); |
502 |
++ return ret; |
503 |
+ } |
504 |
+ |
505 |
+ raw_spin_lock_irq(&pi_state->owner->pi_lock); |
506 |
+@@ -2189,9 +2186,10 @@ retry: |
507 |
+ /* |
508 |
+ * To avoid races, try to do the TID -> 0 atomic transition |
509 |
+ * again. If it succeeds then we can return without waking |
510 |
+- * anyone else up: |
511 |
++ * anyone else up. We only try this if neither the waiters nor |
512 |
++ * the owner died bit are set. |
513 |
+ */ |
514 |
+- if (!(uval & FUTEX_OWNER_DIED) && |
515 |
++ if (!(uval & ~FUTEX_TID_MASK) && |
516 |
+ cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) |
517 |
+ goto pi_faulted; |
518 |
+ /* |
519 |
+@@ -2223,11 +2221,9 @@ retry: |
520 |
+ /* |
521 |
+ * No waiters - kernel unlocks the futex: |
522 |
+ */ |
523 |
+- if (!(uval & FUTEX_OWNER_DIED)) { |
524 |
+- ret = unlock_futex_pi(uaddr, uval); |
525 |
+- if (ret == -EFAULT) |
526 |
+- goto pi_faulted; |
527 |
+- } |
528 |
++ ret = unlock_futex_pi(uaddr, uval); |
529 |
++ if (ret == -EFAULT) |
530 |
++ goto pi_faulted; |
531 |
+ |
532 |
+ out_unlock: |
533 |
+ spin_unlock(&hb->lock); |
534 |
|
535 |
Added: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch |
536 |
=================================================================== |
537 |
(Binary files differ) |
538 |
|
539 |
Index: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch |
540 |
=================================================================== |
541 |
--- genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 22:22:47 UTC (rev 2807) |
542 |
+++ genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 23:59:56 UTC (rev 2808) |
543 |
|
544 |
Property changes on: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch |
545 |
___________________________________________________________________ |
546 |
Added: svn:mime-type |
547 |
## -0,0 +1 ## |
548 |
+message/rfc822 |
549 |
\ No newline at end of property |
550 |
Modified: genpatches-2.6/trunk/3.14/0000_README |
551 |
=================================================================== |
552 |
--- genpatches-2.6/trunk/3.14/0000_README 2014-06-05 22:22:47 UTC (rev 2807) |
553 |
+++ genpatches-2.6/trunk/3.14/0000_README 2014-06-05 23:59:56 UTC (rev 2808) |
554 |
@@ -66,6 +66,30 @@ |
555 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
556 |
Desc: Support for namespace user.pax.* on tmpfs. |
557 |
|
558 |
+Patch: 1501-futex-add-another-early-deadlock-detection-check.patch |
559 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f |
560 |
+Desc: CVE-2014-3153 |
561 |
+ |
562 |
+Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch |
563 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a |
564 |
+Desc: CVE-2014-3153 |
565 |
+ |
566 |
+Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
567 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8 |
568 |
+Desc: CVE-2014-3153 |
569 |
+ |
570 |
+Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
571 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 |
572 |
+Desc: CVE-2014-3153 |
573 |
+ |
574 |
+Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
575 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e |
576 |
+Desc: CVE-2014-3153 |
577 |
+ |
578 |
+Patch: 1506-futex-make-lookup_pi_state-more-robust.patch |
579 |
+From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339 |
580 |
+Desc: CVE-2014-3153 |
581 |
+ |
582 |
Patch: 1700_enable-thinkpad-micled.patch |
583 |
From: https://bugs.gentoo.org/show_bug.cgi?id=449248 |
584 |
Desc: Enable mic mute led in thinkpads |
585 |
|
586 |
Added: genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch |
587 |
=================================================================== |
588 |
--- genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch (rev 0) |
589 |
+++ genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-05 23:59:56 UTC (rev 2808) |
590 |
@@ -0,0 +1,160 @@ |
591 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
592 |
+Date: Mon, 12 May 2014 20:45:34 +0000 |
593 |
+Subject: futex: Add another early deadlock detection check |
594 |
+Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f |
595 |
+ |
596 |
+Dave Jones trinity syscall fuzzer exposed an issue in the deadlock |
597 |
+detection code of rtmutex: |
598 |
+ http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com |
599 |
+ |
600 |
+That underlying issue has been fixed with a patch to the rtmutex code, |
601 |
+but the futex code must not call into rtmutex in that case because |
602 |
+ - it can detect that issue early |
603 |
+ - it avoids a different and more complex fixup for backing out |
604 |
+ |
605 |
+If the user space variable got manipulated to 0x80000000 which means |
606 |
+no lock holder, but the waiters bit set and an active pi_state in the |
607 |
+kernel is found we can figure out the recursive locking issue by |
608 |
+looking at the pi_state owner. If that is the current task, then we |
609 |
+can safely return -EDEADLK. |
610 |
+ |
611 |
+The check should have been added in commit 59fa62451 (futex: Handle |
612 |
+futex_pi OWNER_DIED take over correctly) already, but I did not see |
613 |
+the above issue caused by user space manipulation back then. |
614 |
+ |
615 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
616 |
+Cc: Dave Jones <davej@××××××.com> |
617 |
+Cc: Linus Torvalds <torvalds@××××××××××××××××.org> |
618 |
+Cc: Peter Zijlstra <peterz@×××××××××.org> |
619 |
+Cc: Darren Hart <darren@××××××.com> |
620 |
+Cc: Davidlohr Bueso <davidlohr@××.com> |
621 |
+Cc: Steven Rostedt <rostedt@×××××××.org> |
622 |
+Cc: Clark Williams <williams@××××××.com> |
623 |
+Cc: Paul McKenney <paulmck@××××××××××××××.com> |
624 |
+Cc: Lai Jiangshan <laijs@××××××××××.com> |
625 |
+Cc: Roland McGrath <roland@×××××××××.com> |
626 |
+Cc: Carlos ODonell <carlos@××××××.com> |
627 |
+Cc: Jakub Jelinek <jakub@××××××.com> |
628 |
+Cc: Michael Kerrisk <mtk.manpages@×××××.com> |
629 |
+Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de> |
630 |
+Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de |
631 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
632 |
+Cc: stable@×××××××××××.org |
633 |
+--- |
634 |
+ kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++------------- |
635 |
+ 1 file changed, 34 insertions(+), 13 deletions(-) |
636 |
+ |
637 |
+Index: linux-3.12/kernel/futex.c |
638 |
+=================================================================== |
639 |
+--- linux-3.12.orig/kernel/futex.c |
640 |
++++ linux-3.12/kernel/futex.c |
641 |
+@@ -596,7 +596,8 @@ void exit_pi_state_list(struct task_stru |
642 |
+ |
643 |
+ static int |
644 |
+ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, |
645 |
+- union futex_key *key, struct futex_pi_state **ps) |
646 |
++ union futex_key *key, struct futex_pi_state **ps, |
647 |
++ struct task_struct *task) |
648 |
+ { |
649 |
+ struct futex_pi_state *pi_state = NULL; |
650 |
+ struct futex_q *this, *next; |
651 |
+@@ -640,6 +641,16 @@ lookup_pi_state(u32 uval, struct futex_h |
652 |
+ return -EINVAL; |
653 |
+ } |
654 |
+ |
655 |
++ /* |
656 |
++ * Protect against a corrupted uval. If uval |
657 |
++ * is 0x80000000 then pid is 0 and the waiter |
658 |
++ * bit is set. So the deadlock check in the |
659 |
++ * calling code has failed and we did not fall |
660 |
++ * into the check above due to !pid. |
661 |
++ */ |
662 |
++ if (task && pi_state->owner == task) |
663 |
++ return -EDEADLK; |
664 |
++ |
665 |
+ atomic_inc(&pi_state->refcount); |
666 |
+ *ps = pi_state; |
667 |
+ |
668 |
+@@ -789,7 +800,7 @@ retry: |
669 |
+ * We dont have the lock. Look up the PI state (or create it if |
670 |
+ * we are the first waiter): |
671 |
+ */ |
672 |
+- ret = lookup_pi_state(uval, hb, key, ps); |
673 |
++ ret = lookup_pi_state(uval, hb, key, ps, task); |
674 |
+ |
675 |
+ if (unlikely(ret)) { |
676 |
+ switch (ret) { |
677 |
+@@ -1199,7 +1210,7 @@ void requeue_pi_wake_futex(struct futex_ |
678 |
+ * |
679 |
+ * Return: |
680 |
+ * 0 - failed to acquire the lock atomically; |
681 |
+- * 1 - acquired the lock; |
682 |
++ * >0 - acquired the lock, return value is vpid of the top_waiter |
683 |
+ * <0 - error |
684 |
+ */ |
685 |
+ static int futex_proxy_trylock_atomic(u32 __user *pifutex, |
686 |
+@@ -1210,7 +1221,7 @@ static int futex_proxy_trylock_atomic(u3 |
687 |
+ { |
688 |
+ struct futex_q *top_waiter = NULL; |
689 |
+ u32 curval; |
690 |
+- int ret; |
691 |
++ int ret, vpid; |
692 |
+ |
693 |
+ if (get_futex_value_locked(&curval, pifutex)) |
694 |
+ return -EFAULT; |
695 |
+@@ -1238,11 +1249,13 @@ static int futex_proxy_trylock_atomic(u3 |
696 |
+ * the contended case or if set_waiters is 1. The pi_state is returned |
697 |
+ * in ps in contended cases. |
698 |
+ */ |
699 |
++ vpid = task_pid_vnr(top_waiter->task); |
700 |
+ ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task, |
701 |
+ set_waiters); |
702 |
+- if (ret == 1) |
703 |
++ if (ret == 1) { |
704 |
+ requeue_pi_wake_futex(top_waiter, key2, hb2); |
705 |
+- |
706 |
++ return vpid; |
707 |
++ } |
708 |
+ return ret; |
709 |
+ } |
710 |
+ |
711 |
+@@ -1274,7 +1287,6 @@ static int futex_requeue(u32 __user *uad |
712 |
+ struct futex_hash_bucket *hb1, *hb2; |
713 |
+ struct plist_head *head1; |
714 |
+ struct futex_q *this, *next; |
715 |
+- u32 curval2; |
716 |
+ |
717 |
+ if (requeue_pi) { |
718 |
+ /* |
719 |
+@@ -1360,16 +1372,25 @@ retry_private: |
720 |
+ * At this point the top_waiter has either taken uaddr2 or is |
721 |
+ * waiting on it. If the former, then the pi_state will not |
722 |
+ * exist yet, look it up one more time to ensure we have a |
723 |
+- * reference to it. |
724 |
++ * reference to it. If the lock was taken, ret contains the |
725 |
++ * vpid of the top waiter task. |
726 |
+ */ |
727 |
+- if (ret == 1) { |
728 |
++ if (ret > 0) { |
729 |
+ WARN_ON(pi_state); |
730 |
+ drop_count++; |
731 |
+ task_count++; |
732 |
+- ret = get_futex_value_locked(&curval2, uaddr2); |
733 |
+- if (!ret) |
734 |
+- ret = lookup_pi_state(curval2, hb2, &key2, |
735 |
+- &pi_state); |
736 |
++ /* |
737 |
++ * If we acquired the lock, then the user |
738 |
++ * space value of uaddr2 should be vpid. It |
739 |
++ * cannot be changed by the top waiter as it |
740 |
++ * is blocked on hb2 lock if it tries to do |
741 |
++ * so. If something fiddled with it behind our |
742 |
++ * back the pi state lookup might unearth |
743 |
++ * it. So we rather use the known value than |
744 |
++ * rereading and handing potential crap to |
745 |
++ * lookup_pi_state. |
746 |
++ */ |
747 |
++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL); |
748 |
+ } |
749 |
+ |
750 |
+ switch (ret) { |
751 |
|
752 |
Added: genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch |
753 |
=================================================================== |
754 |
--- genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch (rev 0) |
755 |
+++ genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-05 23:59:56 UTC (rev 2808) |
756 |
@@ -0,0 +1,52 @@ |
757 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
758 |
+Date: Mon, 12 May 2014 20:45:35 +0000 |
759 |
+Subject: futex: Prevent attaching to kernel threads |
760 |
+Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a |
761 |
+ |
762 |
+We happily allow userspace to declare a random kernel thread to be the |
763 |
+owner of a user space PI futex. |
764 |
+ |
765 |
+Found while analysing the fallout of Dave Jones syscall fuzzer. |
766 |
+ |
767 |
+We also should validate the thread group for private futexes and find |
768 |
+some fast way to validate whether the "alleged" owner has RW access on |
769 |
+the file which backs the SHM, but that's a separate issue. |
770 |
+ |
771 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
772 |
+Cc: Dave Jones <davej@××××××.com> |
773 |
+Cc: Linus Torvalds <torvalds@××××××××××××××××.org> |
774 |
+Cc: Peter Zijlstra <peterz@×××××××××.org> |
775 |
+Cc: Darren Hart <darren@××××××.com> |
776 |
+Cc: Davidlohr Bueso <davidlohr@××.com> |
777 |
+Cc: Steven Rostedt <rostedt@×××××××.org> |
778 |
+Cc: Clark Williams <williams@××××××.com> |
779 |
+Cc: Paul McKenney <paulmck@××××××××××××××.com> |
780 |
+Cc: Lai Jiangshan <laijs@××××××××××.com> |
781 |
+Cc: Roland McGrath <roland@×××××××××.com> |
782 |
+Cc: Carlos ODonell <carlos@××××××.com> |
783 |
+Cc: Jakub Jelinek <jakub@××××××.com> |
784 |
+Cc: Michael Kerrisk <mtk.manpages@×××××.com> |
785 |
+Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de> |
786 |
+Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de |
787 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
788 |
+Cc: stable@×××××××××××.org |
789 |
+--- |
790 |
+ kernel/futex.c | 5 +++++ |
791 |
+ 1 file changed, 5 insertions(+) |
792 |
+ |
793 |
+Index: linux-3.12/kernel/futex.c |
794 |
+=================================================================== |
795 |
+--- linux-3.12.orig/kernel/futex.c |
796 |
++++ linux-3.12/kernel/futex.c |
797 |
+@@ -668,6 +668,11 @@ lookup_pi_state(u32 uval, struct futex_h |
798 |
+ if (!p) |
799 |
+ return -ESRCH; |
800 |
+ |
801 |
++ if (!p->mm) { |
802 |
++ put_task_struct(p); |
803 |
++ return -EPERM; |
804 |
++ } |
805 |
++ |
806 |
+ /* |
807 |
+ * We need to look at the task state flags to figure out, |
808 |
+ * whether the task is exiting. To protect against the do_exit |
809 |
|
810 |
Added: genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch |
811 |
=================================================================== |
812 |
--- genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch (rev 0) |
813 |
+++ genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-05 23:59:56 UTC (rev 2808) |
814 |
@@ -0,0 +1,81 @@ |
815 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
816 |
+Date: Tue, 3 Jun 2014 12:27:06 +0000 |
817 |
+Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == |
818 |
+ uaddr2 in futex_requeue(..., requeue_pi=1) |
819 |
+Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8 |
820 |
+ |
821 |
+If uaddr == uaddr2, then we have broken the rule of only requeueing from |
822 |
+a non-pi futex to a pi futex with this call. If we attempt this, then |
823 |
+dangling pointers may be left for rt_waiter resulting in an exploitable |
824 |
+condition. |
825 |
+ |
826 |
+This change brings futex_requeue() in line with futex_wait_requeue_pi() |
827 |
+which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid |
828 |
+uaddr == uaddr2 in futex_wait_requeue_pi()") |
829 |
+ |
830 |
+[ tglx: Compare the resulting keys as well, as uaddrs might be |
831 |
+ different depending on the mapping ] |
832 |
+ |
833 |
+Fixes CVE-2014-3153. |
834 |
+ |
835 |
+Reported-by: Pinkie Pie |
836 |
+Signed-off-by: Will Drewry <wad@××××××××.org> |
837 |
+Signed-off-by: Kees Cook <keescook@××××××××.org> |
838 |
+Cc: stable@×××××××××××.org |
839 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
840 |
+Reviewed-by: Darren Hart <dvhart@×××××××××××.com> |
841 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
842 |
+--- |
843 |
+ kernel/futex.c | 25 +++++++++++++++++++++++++ |
844 |
+ 1 file changed, 25 insertions(+) |
845 |
+ |
846 |
+Index: linux-3.12/kernel/futex.c |
847 |
+=================================================================== |
848 |
+--- linux-3.12.orig/kernel/futex.c |
849 |
++++ linux-3.12/kernel/futex.c |
850 |
+@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uad |
851 |
+ |
852 |
+ if (requeue_pi) { |
853 |
+ /* |
854 |
++ * Requeue PI only works on two distinct uaddrs. This |
855 |
++ * check is only valid for private futexes. See below. |
856 |
++ */ |
857 |
++ if (uaddr1 == uaddr2) |
858 |
++ return -EINVAL; |
859 |
++ |
860 |
++ /* |
861 |
+ * requeue_pi requires a pi_state, try to allocate it now |
862 |
+ * without any locks in case it fails. |
863 |
+ */ |
864 |
+@@ -1332,6 +1339,15 @@ retry: |
865 |
+ if (unlikely(ret != 0)) |
866 |
+ goto out_put_key1; |
867 |
+ |
868 |
++ /* |
869 |
++ * The check above which compares uaddrs is not sufficient for |
870 |
++ * shared futexes. We need to compare the keys: |
871 |
++ */ |
872 |
++ if (requeue_pi && match_futex(&key1, &key2)) { |
873 |
++ ret = -EINVAL; |
874 |
++ goto out_put_keys; |
875 |
++ } |
876 |
++ |
877 |
+ hb1 = hash_futex(&key1); |
878 |
+ hb2 = hash_futex(&key2); |
879 |
+ |
880 |
+@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __u |
881 |
+ if (ret) |
882 |
+ goto out_key2; |
883 |
+ |
884 |
++ /* |
885 |
++ * The check above which compares uaddrs is not sufficient for |
886 |
++ * shared futexes. We need to compare the keys: |
887 |
++ */ |
888 |
++ if (match_futex(&q.key, &key2)) { |
889 |
++ ret = -EINVAL; |
890 |
++ goto out_put_keys; |
891 |
++ } |
892 |
++ |
893 |
+ /* Queue the futex_q, drop the hb lock, wait for wakeup. */ |
894 |
+ futex_wait_queue_me(hb, &q, to); |
895 |
+ |
896 |
|
897 |
Added: genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch |
898 |
=================================================================== |
899 |
--- genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch (rev 0) |
900 |
+++ genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-05 23:59:56 UTC (rev 2808) |
901 |
@@ -0,0 +1,53 @@ |
902 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
903 |
+Date: Tue, 3 Jun 2014 12:27:06 +0000 |
904 |
+Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic() |
905 |
+Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 |
906 |
+ |
907 |
+We need to protect the atomic acquisition in the kernel against rogue |
908 |
+user space which sets the user space futex to 0, so the kernel side |
909 |
+acquisition succeeds while there is existing state in the kernel |
910 |
+associated to the real owner. |
911 |
+ |
912 |
+Verify whether the futex has waiters associated with kernel state. If |
913 |
+it has, return -EINVAL. The state is corrupted already, so no point in |
914 |
+cleaning it up. Subsequent calls will fail as well. Not our problem. |
915 |
+ |
916 |
+[ tglx: Use futex_top_waiter() and explain why we do not need to try |
917 |
+ restoring the already corrupted user space state. ] |
918 |
+ |
919 |
+Signed-off-by: Darren Hart <dvhart@×××××××××××.com> |
920 |
+Cc: Kees Cook <keescook@××××××××.org> |
921 |
+Cc: Will Drewry <wad@××××××××.org> |
922 |
+Cc: stable@×××××××××××.org |
923 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
924 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
925 |
+--- |
926 |
+ kernel/futex.c | 14 +++++++++++--- |
927 |
+ 1 file changed, 11 insertions(+), 3 deletions(-) |
928 |
+ |
929 |
+Index: linux-3.12/kernel/futex.c |
930 |
+=================================================================== |
931 |
+--- linux-3.12.orig/kernel/futex.c |
932 |
++++ linux-3.12/kernel/futex.c |
933 |
+@@ -764,10 +764,18 @@ retry: |
934 |
+ return -EDEADLK; |
935 |
+ |
936 |
+ /* |
937 |
+- * Surprise - we got the lock. Just return to userspace: |
938 |
++ * Surprise - we got the lock, but we do not trust user space at all. |
939 |
+ */ |
940 |
+- if (unlikely(!curval)) |
941 |
+- return 1; |
942 |
++ if (unlikely(!curval)) { |
943 |
++ /* |
944 |
++ * We verify whether there is kernel state for this |
945 |
++ * futex. If not, we can safely assume, that the 0 -> |
946 |
++ * TID transition is correct. If state exists, we do |
947 |
++ * not bother to fixup the user space state as it was |
948 |
++ * corrupted already. |
949 |
++ */ |
950 |
++ return futex_top_waiter(hb, key) ? -EINVAL : 1; |
951 |
++ } |
952 |
+ |
953 |
+ uval = curval; |
954 |
+ |
955 |
|
956 |
Added: genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch |
957 |
=================================================================== |
958 |
--- genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch (rev 0) |
959 |
+++ genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-05 23:59:56 UTC (rev 2808) |
960 |
@@ -0,0 +1,99 @@ |
961 |
+From: Thomas Gleixner <tglx@××××××××××.de> |
962 |
+Date: Tue, 3 Jun 2014 12:27:07 +0000 |
963 |
+Subject: futex: Always cleanup owner tid in unlock_pi |
964 |
+Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e |
965 |
+ |
966 |
+If the owner died bit is set at futex_unlock_pi, we currently do not |
967 |
+cleanup the user space futex. So the owner TID of the current owner |
968 |
+(the unlocker) persists. That's observable inconsistant state, |
969 |
+especially when the ownership of the pi state got transferred. |
970 |
+ |
971 |
+Clean it up unconditionally. |
972 |
+ |
973 |
+Signed-off-by: Thomas Gleixner <tglx@××××××××××.de> |
974 |
+Cc: Kees Cook <keescook@××××××××.org> |
975 |
+Cc: Will Drewry <wad@××××××××.org> |
976 |
+Cc: Darren Hart <dvhart@×××××××××××.com> |
977 |
+Cc: stable@×××××××××××.org |
978 |
+Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org> |
979 |
+--- |
980 |
+ kernel/futex.c | 40 ++++++++++++++++++---------------------- |
981 |
+ 1 file changed, 18 insertions(+), 22 deletions(-) |
982 |
+ |
983 |
+Index: linux-3.12/kernel/futex.c |
984 |
+=================================================================== |
985 |
+--- linux-3.12.orig/kernel/futex.c |
986 |
++++ linux-3.12/kernel/futex.c |
987 |
+@@ -905,6 +905,7 @@ static int wake_futex_pi(u32 __user *uad |
988 |
+ struct task_struct *new_owner; |
989 |
+ struct futex_pi_state *pi_state = this->pi_state; |
990 |
+ u32 uninitialized_var(curval), newval; |
991 |
++ int ret = 0; |
992 |
+ |
993 |
+ if (!pi_state) |
994 |
+ return -EINVAL; |
995 |
+@@ -928,23 +929,19 @@ static int wake_futex_pi(u32 __user *uad |
996 |
+ new_owner = this->task; |
997 |
+ |
998 |
+ /* |
999 |
+- * We pass it to the next owner. (The WAITERS bit is always |
1000 |
+- * kept enabled while there is PI state around. We must also |
1001 |
+- * preserve the owner died bit.) |
1002 |
+- */ |
1003 |
+- if (!(uval & FUTEX_OWNER_DIED)) { |
1004 |
+- int ret = 0; |
1005 |
+- |
1006 |
+- newval = FUTEX_WAITERS | task_pid_vnr(new_owner); |
1007 |
+- |
1008 |
+- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) |
1009 |
+- ret = -EFAULT; |
1010 |
+- else if (curval != uval) |
1011 |
+- ret = -EINVAL; |
1012 |
+- if (ret) { |
1013 |
+- raw_spin_unlock(&pi_state->pi_mutex.wait_lock); |
1014 |
+- return ret; |
1015 |
+- } |
1016 |
++ * We pass it to the next owner. The WAITERS bit is always |
1017 |
++ * kept enabled while there is PI state around. We cleanup the |
1018 |
++ * owner died bit, because we are the owner. |
1019 |
++ */ |
1020 |
++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner); |
1021 |
++ |
1022 |
++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval)) |
1023 |
++ ret = -EFAULT; |
1024 |
++ else if (curval != uval) |
1025 |
++ ret = -EINVAL; |
1026 |
++ if (ret) { |
1027 |
++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock); |
1028 |
++ return ret; |
1029 |
+ } |
1030 |
+ |
1031 |
+ raw_spin_lock_irq(&pi_state->owner->pi_lock); |
1032 |
+@@ -2189,9 +2186,10 @@ retry: |
1033 |
+ /* |
1034 |
+ * To avoid races, try to do the TID -> 0 atomic transition |
1035 |
+ * again. If it succeeds then we can return without waking |
1036 |
+- * anyone else up: |
1037 |
++ * anyone else up. We only try this if neither the waiters nor |
1038 |
++ * the owner died bit are set. |
1039 |
+ */ |
1040 |
+- if (!(uval & FUTEX_OWNER_DIED) && |
1041 |
++ if (!(uval & ~FUTEX_TID_MASK) && |
1042 |
+ cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0)) |
1043 |
+ goto pi_faulted; |
1044 |
+ /* |
1045 |
+@@ -2223,11 +2221,9 @@ retry: |
1046 |
+ /* |
1047 |
+ * No waiters - kernel unlocks the futex: |
1048 |
+ */ |
1049 |
+- if (!(uval & FUTEX_OWNER_DIED)) { |
1050 |
+- ret = unlock_futex_pi(uaddr, uval); |
1051 |
+- if (ret == -EFAULT) |
1052 |
+- goto pi_faulted; |
1053 |
+- } |
1054 |
++ ret = unlock_futex_pi(uaddr, uval); |
1055 |
++ if (ret == -EFAULT) |
1056 |
++ goto pi_faulted; |
1057 |
+ |
1058 |
+ out_unlock: |
1059 |
+ spin_unlock(&hb->lock); |
1060 |
|
1061 |
Added: genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch |
1062 |
=================================================================== |
1063 |
(Binary files differ) |
1064 |
|
1065 |
Index: genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch |
1066 |
=================================================================== |
1067 |
--- genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 22:22:47 UTC (rev 2807) |
1068 |
+++ genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 23:59:56 UTC (rev 2808) |
1069 |
|
1070 |
Property changes on: genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch |
1071 |
___________________________________________________________________ |
1072 |
Added: svn:mime-type |
1073 |
## -0,0 +1 ## |
1074 |
+message/rfc822 |
1075 |
\ No newline at end of property |