Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Tom Wijsman (tomwij)" <tomwij@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] linux-patches r2808 - in genpatches-2.6/trunk: 3.10 3.14
Date: Fri, 06 Jun 2014 00:00:01
Message-Id: 20140605235956.5D5A120036@flycatcher.gentoo.org
1 Author: tomwij
2 Date: 2014-06-05 23:59:56 +0000 (Thu, 05 Jun 2014)
3 New Revision: 2808
4
5 Added:
6 genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch
7 genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch
8 genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
9 genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
10 genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
11 genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch
12 genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch
13 genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch
14 genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
15 genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
16 genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
17 genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch
18 Modified:
19 genpatches-2.6/trunk/3.10/0000_README
20 genpatches-2.6/trunk/3.14/0000_README
21 Log:
22 CVE-2014-3153
23
24 Modified: genpatches-2.6/trunk/3.10/0000_README
25 ===================================================================
26 --- genpatches-2.6/trunk/3.10/0000_README 2014-06-05 22:22:47 UTC (rev 2807)
27 +++ genpatches-2.6/trunk/3.10/0000_README 2014-06-05 23:59:56 UTC (rev 2808)
28 @@ -214,6 +214,30 @@
29 From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6a96e15096da6e7491107321cfa660c7c2aa119d
30 Desc: selinux: add SOCK_DIAG_BY_FAMILY to the list of netlink message types
31
32 +Patch: 1501-futex-add-another-early-deadlock-detection-check.patch
33 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f
34 +Desc: CVE-2014-3153
35 +
36 +Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch
37 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a
38 +Desc: CVE-2014-3153
39 +
40 +Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
41 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
42 +Desc: CVE-2014-3153
43 +
44 +Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
45 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
46 +Desc: CVE-2014-3153
47 +
48 +Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
49 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
50 +Desc: CVE-2014-3153
51 +
52 +Patch: 1506-futex-make-lookup_pi_state-more-robust.patch
53 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339
54 +Desc: CVE-2014-3153
55 +
56 Patch: 1700_enable-thinkpad-micled.patch
57 From: https://bugs.gentoo.org/show_bug.cgi?id=449248
58 Desc: Enable mic mute led in thinkpads
59
60 Added: genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch
61 ===================================================================
62 --- genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch (rev 0)
63 +++ genpatches-2.6/trunk/3.10/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-05 23:59:56 UTC (rev 2808)
64 @@ -0,0 +1,160 @@
65 +From: Thomas Gleixner <tglx@××××××××××.de>
66 +Date: Mon, 12 May 2014 20:45:34 +0000
67 +Subject: futex: Add another early deadlock detection check
68 +Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f
69 +
70 +Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
71 +detection code of rtmutex:
72 + http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com
73 +
74 +That underlying issue has been fixed with a patch to the rtmutex code,
75 +but the futex code must not call into rtmutex in that case because
76 + - it can detect that issue early
77 + - it avoids a different and more complex fixup for backing out
78 +
79 +If the user space variable got manipulated to 0x80000000 which means
80 +no lock holder, but the waiters bit set and an active pi_state in the
81 +kernel is found we can figure out the recursive locking issue by
82 +looking at the pi_state owner. If that is the current task, then we
83 +can safely return -EDEADLK.
84 +
85 +The check should have been added in commit 59fa62451 (futex: Handle
86 +futex_pi OWNER_DIED take over correctly) already, but I did not see
87 +the above issue caused by user space manipulation back then.
88 +
89 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
90 +Cc: Dave Jones <davej@××××××.com>
91 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
92 +Cc: Peter Zijlstra <peterz@×××××××××.org>
93 +Cc: Darren Hart <darren@××××××.com>
94 +Cc: Davidlohr Bueso <davidlohr@××.com>
95 +Cc: Steven Rostedt <rostedt@×××××××.org>
96 +Cc: Clark Williams <williams@××××××.com>
97 +Cc: Paul McKenney <paulmck@××××××××××××××.com>
98 +Cc: Lai Jiangshan <laijs@××××××××××.com>
99 +Cc: Roland McGrath <roland@×××××××××.com>
100 +Cc: Carlos ODonell <carlos@××××××.com>
101 +Cc: Jakub Jelinek <jakub@××××××.com>
102 +Cc: Michael Kerrisk <mtk.manpages@×××××.com>
103 +Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
104 +Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de
105 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
106 +Cc: stable@×××××××××××.org
107 +---
108 + kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
109 + 1 file changed, 34 insertions(+), 13 deletions(-)
110 +
111 +Index: linux-3.12/kernel/futex.c
112 +===================================================================
113 +--- linux-3.12.orig/kernel/futex.c
114 ++++ linux-3.12/kernel/futex.c
115 +@@ -596,7 +596,8 @@ void exit_pi_state_list(struct task_stru
116 +
117 + static int
118 + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
119 +- union futex_key *key, struct futex_pi_state **ps)
120 ++ union futex_key *key, struct futex_pi_state **ps,
121 ++ struct task_struct *task)
122 + {
123 + struct futex_pi_state *pi_state = NULL;
124 + struct futex_q *this, *next;
125 +@@ -640,6 +641,16 @@ lookup_pi_state(u32 uval, struct futex_h
126 + return -EINVAL;
127 + }
128 +
129 ++ /*
130 ++ * Protect against a corrupted uval. If uval
131 ++ * is 0x80000000 then pid is 0 and the waiter
132 ++ * bit is set. So the deadlock check in the
133 ++ * calling code has failed and we did not fall
134 ++ * into the check above due to !pid.
135 ++ */
136 ++ if (task && pi_state->owner == task)
137 ++ return -EDEADLK;
138 ++
139 + atomic_inc(&pi_state->refcount);
140 + *ps = pi_state;
141 +
142 +@@ -789,7 +800,7 @@ retry:
143 + * We dont have the lock. Look up the PI state (or create it if
144 + * we are the first waiter):
145 + */
146 +- ret = lookup_pi_state(uval, hb, key, ps);
147 ++ ret = lookup_pi_state(uval, hb, key, ps, task);
148 +
149 + if (unlikely(ret)) {
150 + switch (ret) {
151 +@@ -1199,7 +1210,7 @@ void requeue_pi_wake_futex(struct futex_
152 + *
153 + * Return:
154 + * 0 - failed to acquire the lock atomically;
155 +- * 1 - acquired the lock;
156 ++ * >0 - acquired the lock, return value is vpid of the top_waiter
157 + * <0 - error
158 + */
159 + static int futex_proxy_trylock_atomic(u32 __user *pifutex,
160 +@@ -1210,7 +1221,7 @@ static int futex_proxy_trylock_atomic(u3
161 + {
162 + struct futex_q *top_waiter = NULL;
163 + u32 curval;
164 +- int ret;
165 ++ int ret, vpid;
166 +
167 + if (get_futex_value_locked(&curval, pifutex))
168 + return -EFAULT;
169 +@@ -1238,11 +1249,13 @@ static int futex_proxy_trylock_atomic(u3
170 + * the contended case or if set_waiters is 1. The pi_state is returned
171 + * in ps in contended cases.
172 + */
173 ++ vpid = task_pid_vnr(top_waiter->task);
174 + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
175 + set_waiters);
176 +- if (ret == 1)
177 ++ if (ret == 1) {
178 + requeue_pi_wake_futex(top_waiter, key2, hb2);
179 +-
180 ++ return vpid;
181 ++ }
182 + return ret;
183 + }
184 +
185 +@@ -1274,7 +1287,6 @@ static int futex_requeue(u32 __user *uad
186 + struct futex_hash_bucket *hb1, *hb2;
187 + struct plist_head *head1;
188 + struct futex_q *this, *next;
189 +- u32 curval2;
190 +
191 + if (requeue_pi) {
192 + /*
193 +@@ -1360,16 +1372,25 @@ retry_private:
194 + * At this point the top_waiter has either taken uaddr2 or is
195 + * waiting on it. If the former, then the pi_state will not
196 + * exist yet, look it up one more time to ensure we have a
197 +- * reference to it.
198 ++ * reference to it. If the lock was taken, ret contains the
199 ++ * vpid of the top waiter task.
200 + */
201 +- if (ret == 1) {
202 ++ if (ret > 0) {
203 + WARN_ON(pi_state);
204 + drop_count++;
205 + task_count++;
206 +- ret = get_futex_value_locked(&curval2, uaddr2);
207 +- if (!ret)
208 +- ret = lookup_pi_state(curval2, hb2, &key2,
209 +- &pi_state);
210 ++ /*
211 ++ * If we acquired the lock, then the user
212 ++ * space value of uaddr2 should be vpid. It
213 ++ * cannot be changed by the top waiter as it
214 ++ * is blocked on hb2 lock if it tries to do
215 ++ * so. If something fiddled with it behind our
216 ++ * back the pi state lookup might unearth
217 ++ * it. So we rather use the known value than
218 ++ * rereading and handing potential crap to
219 ++ * lookup_pi_state.
220 ++ */
221 ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
222 + }
223 +
224 + switch (ret) {
225
226 Added: genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch
227 ===================================================================
228 --- genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch (rev 0)
229 +++ genpatches-2.6/trunk/3.10/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-05 23:59:56 UTC (rev 2808)
230 @@ -0,0 +1,52 @@
231 +From: Thomas Gleixner <tglx@××××××××××.de>
232 +Date: Mon, 12 May 2014 20:45:35 +0000
233 +Subject: futex: Prevent attaching to kernel threads
234 +Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
235 +
236 +We happily allow userspace to declare a random kernel thread to be the
237 +owner of a user space PI futex.
238 +
239 +Found while analysing the fallout of Dave Jones syscall fuzzer.
240 +
241 +We also should validate the thread group for private futexes and find
242 +some fast way to validate whether the "alleged" owner has RW access on
243 +the file which backs the SHM, but that's a separate issue.
244 +
245 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
246 +Cc: Dave Jones <davej@××××××.com>
247 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
248 +Cc: Peter Zijlstra <peterz@×××××××××.org>
249 +Cc: Darren Hart <darren@××××××.com>
250 +Cc: Davidlohr Bueso <davidlohr@××.com>
251 +Cc: Steven Rostedt <rostedt@×××××××.org>
252 +Cc: Clark Williams <williams@××××××.com>
253 +Cc: Paul McKenney <paulmck@××××××××××××××.com>
254 +Cc: Lai Jiangshan <laijs@××××××××××.com>
255 +Cc: Roland McGrath <roland@×××××××××.com>
256 +Cc: Carlos ODonell <carlos@××××××.com>
257 +Cc: Jakub Jelinek <jakub@××××××.com>
258 +Cc: Michael Kerrisk <mtk.manpages@×××××.com>
259 +Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
260 +Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de
261 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
262 +Cc: stable@×××××××××××.org
263 +---
264 + kernel/futex.c | 5 +++++
265 + 1 file changed, 5 insertions(+)
266 +
267 +Index: linux-3.12/kernel/futex.c
268 +===================================================================
269 +--- linux-3.12.orig/kernel/futex.c
270 ++++ linux-3.12/kernel/futex.c
271 +@@ -668,6 +668,11 @@ lookup_pi_state(u32 uval, struct futex_h
272 + if (!p)
273 + return -ESRCH;
274 +
275 ++ if (!p->mm) {
276 ++ put_task_struct(p);
277 ++ return -EPERM;
278 ++ }
279 ++
280 + /*
281 + * We need to look at the task state flags to figure out,
282 + * whether the task is exiting. To protect against the do_exit
283
284 Added: genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
285 ===================================================================
286 --- genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch (rev 0)
287 +++ genpatches-2.6/trunk/3.10/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-05 23:59:56 UTC (rev 2808)
288 @@ -0,0 +1,81 @@
289 +From: Thomas Gleixner <tglx@××××××××××.de>
290 +Date: Tue, 3 Jun 2014 12:27:06 +0000
291 +Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
292 + uaddr2 in futex_requeue(..., requeue_pi=1)
293 +Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8
294 +
295 +If uaddr == uaddr2, then we have broken the rule of only requeueing from
296 +a non-pi futex to a pi futex with this call. If we attempt this, then
297 +dangling pointers may be left for rt_waiter resulting in an exploitable
298 +condition.
299 +
300 +This change brings futex_requeue() in line with futex_wait_requeue_pi()
301 +which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
302 +uaddr == uaddr2 in futex_wait_requeue_pi()")
303 +
304 +[ tglx: Compare the resulting keys as well, as uaddrs might be
305 + different depending on the mapping ]
306 +
307 +Fixes CVE-2014-3153.
308 +
309 +Reported-by: Pinkie Pie
310 +Signed-off-by: Will Drewry <wad@××××××××.org>
311 +Signed-off-by: Kees Cook <keescook@××××××××.org>
312 +Cc: stable@×××××××××××.org
313 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
314 +Reviewed-by: Darren Hart <dvhart@×××××××××××.com>
315 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
316 +---
317 + kernel/futex.c | 25 +++++++++++++++++++++++++
318 + 1 file changed, 25 insertions(+)
319 +
320 +Index: linux-3.12/kernel/futex.c
321 +===================================================================
322 +--- linux-3.12.orig/kernel/futex.c
323 ++++ linux-3.12/kernel/futex.c
324 +@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uad
325 +
326 + if (requeue_pi) {
327 + /*
328 ++ * Requeue PI only works on two distinct uaddrs. This
329 ++ * check is only valid for private futexes. See below.
330 ++ */
331 ++ if (uaddr1 == uaddr2)
332 ++ return -EINVAL;
333 ++
334 ++ /*
335 + * requeue_pi requires a pi_state, try to allocate it now
336 + * without any locks in case it fails.
337 + */
338 +@@ -1332,6 +1339,15 @@ retry:
339 + if (unlikely(ret != 0))
340 + goto out_put_key1;
341 +
342 ++ /*
343 ++ * The check above which compares uaddrs is not sufficient for
344 ++ * shared futexes. We need to compare the keys:
345 ++ */
346 ++ if (requeue_pi && match_futex(&key1, &key2)) {
347 ++ ret = -EINVAL;
348 ++ goto out_put_keys;
349 ++ }
350 ++
351 + hb1 = hash_futex(&key1);
352 + hb2 = hash_futex(&key2);
353 +
354 +@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __u
355 + if (ret)
356 + goto out_key2;
357 +
358 ++ /*
359 ++ * The check above which compares uaddrs is not sufficient for
360 ++ * shared futexes. We need to compare the keys:
361 ++ */
362 ++ if (match_futex(&q.key, &key2)) {
363 ++ ret = -EINVAL;
364 ++ goto out_put_keys;
365 ++ }
366 ++
367 + /* Queue the futex_q, drop the hb lock, wait for wakeup. */
368 + futex_wait_queue_me(hb, &q, to);
369 +
370
371 Added: genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
372 ===================================================================
373 --- genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch (rev 0)
374 +++ genpatches-2.6/trunk/3.10/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-05 23:59:56 UTC (rev 2808)
375 @@ -0,0 +1,53 @@
376 +From: Thomas Gleixner <tglx@××××××××××.de>
377 +Date: Tue, 3 Jun 2014 12:27:06 +0000
378 +Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
379 +Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
380 +
381 +We need to protect the atomic acquisition in the kernel against rogue
382 +user space which sets the user space futex to 0, so the kernel side
383 +acquisition succeeds while there is existing state in the kernel
384 +associated to the real owner.
385 +
386 +Verify whether the futex has waiters associated with kernel state. If
387 +it has, return -EINVAL. The state is corrupted already, so no point in
388 +cleaning it up. Subsequent calls will fail as well. Not our problem.
389 +
390 +[ tglx: Use futex_top_waiter() and explain why we do not need to try
391 + restoring the already corrupted user space state. ]
392 +
393 +Signed-off-by: Darren Hart <dvhart@×××××××××××.com>
394 +Cc: Kees Cook <keescook@××××××××.org>
395 +Cc: Will Drewry <wad@××××××××.org>
396 +Cc: stable@×××××××××××.org
397 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
398 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
399 +---
400 + kernel/futex.c | 14 +++++++++++---
401 + 1 file changed, 11 insertions(+), 3 deletions(-)
402 +
403 +Index: linux-3.12/kernel/futex.c
404 +===================================================================
405 +--- linux-3.12.orig/kernel/futex.c
406 ++++ linux-3.12/kernel/futex.c
407 +@@ -764,10 +764,18 @@ retry:
408 + return -EDEADLK;
409 +
410 + /*
411 +- * Surprise - we got the lock. Just return to userspace:
412 ++ * Surprise - we got the lock, but we do not trust user space at all.
413 + */
414 +- if (unlikely(!curval))
415 +- return 1;
416 ++ if (unlikely(!curval)) {
417 ++ /*
418 ++ * We verify whether there is kernel state for this
419 ++ * futex. If not, we can safely assume, that the 0 ->
420 ++ * TID transition is correct. If state exists, we do
421 ++ * not bother to fixup the user space state as it was
422 ++ * corrupted already.
423 ++ */
424 ++ return futex_top_waiter(hb, key) ? -EINVAL : 1;
425 ++ }
426 +
427 + uval = curval;
428 +
429
430 Added: genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
431 ===================================================================
432 --- genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch (rev 0)
433 +++ genpatches-2.6/trunk/3.10/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-05 23:59:56 UTC (rev 2808)
434 @@ -0,0 +1,99 @@
435 +From: Thomas Gleixner <tglx@××××××××××.de>
436 +Date: Tue, 3 Jun 2014 12:27:07 +0000
437 +Subject: futex: Always cleanup owner tid in unlock_pi
438 +Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
439 +
440 +If the owner died bit is set at futex_unlock_pi, we currently do not
441 +cleanup the user space futex. So the owner TID of the current owner
442 +(the unlocker) persists. That's observable inconsistant state,
443 +especially when the ownership of the pi state got transferred.
444 +
445 +Clean it up unconditionally.
446 +
447 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
448 +Cc: Kees Cook <keescook@××××××××.org>
449 +Cc: Will Drewry <wad@××××××××.org>
450 +Cc: Darren Hart <dvhart@×××××××××××.com>
451 +Cc: stable@×××××××××××.org
452 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
453 +---
454 + kernel/futex.c | 40 ++++++++++++++++++----------------------
455 + 1 file changed, 18 insertions(+), 22 deletions(-)
456 +
457 +Index: linux-3.12/kernel/futex.c
458 +===================================================================
459 +--- linux-3.12.orig/kernel/futex.c
460 ++++ linux-3.12/kernel/futex.c
461 +@@ -905,6 +905,7 @@ static int wake_futex_pi(u32 __user *uad
462 + struct task_struct *new_owner;
463 + struct futex_pi_state *pi_state = this->pi_state;
464 + u32 uninitialized_var(curval), newval;
465 ++ int ret = 0;
466 +
467 + if (!pi_state)
468 + return -EINVAL;
469 +@@ -928,23 +929,19 @@ static int wake_futex_pi(u32 __user *uad
470 + new_owner = this->task;
471 +
472 + /*
473 +- * We pass it to the next owner. (The WAITERS bit is always
474 +- * kept enabled while there is PI state around. We must also
475 +- * preserve the owner died bit.)
476 +- */
477 +- if (!(uval & FUTEX_OWNER_DIED)) {
478 +- int ret = 0;
479 +-
480 +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
481 +-
482 +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
483 +- ret = -EFAULT;
484 +- else if (curval != uval)
485 +- ret = -EINVAL;
486 +- if (ret) {
487 +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
488 +- return ret;
489 +- }
490 ++ * We pass it to the next owner. The WAITERS bit is always
491 ++ * kept enabled while there is PI state around. We cleanup the
492 ++ * owner died bit, because we are the owner.
493 ++ */
494 ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
495 ++
496 ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
497 ++ ret = -EFAULT;
498 ++ else if (curval != uval)
499 ++ ret = -EINVAL;
500 ++ if (ret) {
501 ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
502 ++ return ret;
503 + }
504 +
505 + raw_spin_lock_irq(&pi_state->owner->pi_lock);
506 +@@ -2189,9 +2186,10 @@ retry:
507 + /*
508 + * To avoid races, try to do the TID -> 0 atomic transition
509 + * again. If it succeeds then we can return without waking
510 +- * anyone else up:
511 ++ * anyone else up. We only try this if neither the waiters nor
512 ++ * the owner died bit are set.
513 + */
514 +- if (!(uval & FUTEX_OWNER_DIED) &&
515 ++ if (!(uval & ~FUTEX_TID_MASK) &&
516 + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
517 + goto pi_faulted;
518 + /*
519 +@@ -2223,11 +2221,9 @@ retry:
520 + /*
521 + * No waiters - kernel unlocks the futex:
522 + */
523 +- if (!(uval & FUTEX_OWNER_DIED)) {
524 +- ret = unlock_futex_pi(uaddr, uval);
525 +- if (ret == -EFAULT)
526 +- goto pi_faulted;
527 +- }
528 ++ ret = unlock_futex_pi(uaddr, uval);
529 ++ if (ret == -EFAULT)
530 ++ goto pi_faulted;
531 +
532 + out_unlock:
533 + spin_unlock(&hb->lock);
534
535 Added: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch
536 ===================================================================
537 (Binary files differ)
538
539 Index: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch
540 ===================================================================
541 --- genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 22:22:47 UTC (rev 2807)
542 +++ genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 23:59:56 UTC (rev 2808)
543
544 Property changes on: genpatches-2.6/trunk/3.10/1506-futex-make-lookup_pi_state-more-robust.patch
545 ___________________________________________________________________
546 Added: svn:mime-type
547 ## -0,0 +1 ##
548 +message/rfc822
549 \ No newline at end of property
550 Modified: genpatches-2.6/trunk/3.14/0000_README
551 ===================================================================
552 --- genpatches-2.6/trunk/3.14/0000_README 2014-06-05 22:22:47 UTC (rev 2807)
553 +++ genpatches-2.6/trunk/3.14/0000_README 2014-06-05 23:59:56 UTC (rev 2808)
554 @@ -66,6 +66,30 @@
555 From: https://bugs.gentoo.org/show_bug.cgi?id=470644
556 Desc: Support for namespace user.pax.* on tmpfs.
557
558 +Patch: 1501-futex-add-another-early-deadlock-detection-check.patch
559 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=866293ee54227584ffcb4a42f69c1f365974ba7f
560 +Desc: CVE-2014-3153
561 +
562 +Patch: 1502-futex-prevent-attaching-to-kernel-threads.patch
563 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d71b3dcb8332f7971b5f2363632573e6d9486a
564 +Desc: CVE-2014-3153
565 +
566 +Patch: 1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
567 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e9c243a5a6de0be8e584c604d353412584b592f8
568 +Desc: CVE-2014-3153
569 +
570 +Patch: 1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
571 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
572 +Desc: CVE-2014-3153
573 +
574 +Patch: 1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
575 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
576 +Desc: CVE-2014-3153
577 +
578 +Patch: 1506-futex-make-lookup_pi_state-more-robust.patch
579 +From: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=54a217887a7b658e2650c3feff22756ab80c7339
580 +Desc: CVE-2014-3153
581 +
582 Patch: 1700_enable-thinkpad-micled.patch
583 From: https://bugs.gentoo.org/show_bug.cgi?id=449248
584 Desc: Enable mic mute led in thinkpads
585
586 Added: genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch
587 ===================================================================
588 --- genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch (rev 0)
589 +++ genpatches-2.6/trunk/3.14/1501-futex-add-another-early-deadlock-detection-check.patch 2014-06-05 23:59:56 UTC (rev 2808)
590 @@ -0,0 +1,160 @@
591 +From: Thomas Gleixner <tglx@××××××××××.de>
592 +Date: Mon, 12 May 2014 20:45:34 +0000
593 +Subject: futex: Add another early deadlock detection check
594 +Git-commit: 866293ee54227584ffcb4a42f69c1f365974ba7f
595 +
596 +Dave Jones trinity syscall fuzzer exposed an issue in the deadlock
597 +detection code of rtmutex:
598 + http://lkml.kernel.org/r/20140429151655.GA14277@××××××.com
599 +
600 +That underlying issue has been fixed with a patch to the rtmutex code,
601 +but the futex code must not call into rtmutex in that case because
602 + - it can detect that issue early
603 + - it avoids a different and more complex fixup for backing out
604 +
605 +If the user space variable got manipulated to 0x80000000 which means
606 +no lock holder, but the waiters bit set and an active pi_state in the
607 +kernel is found we can figure out the recursive locking issue by
608 +looking at the pi_state owner. If that is the current task, then we
609 +can safely return -EDEADLK.
610 +
611 +The check should have been added in commit 59fa62451 (futex: Handle
612 +futex_pi OWNER_DIED take over correctly) already, but I did not see
613 +the above issue caused by user space manipulation back then.
614 +
615 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
616 +Cc: Dave Jones <davej@××××××.com>
617 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
618 +Cc: Peter Zijlstra <peterz@×××××××××.org>
619 +Cc: Darren Hart <darren@××××××.com>
620 +Cc: Davidlohr Bueso <davidlohr@××.com>
621 +Cc: Steven Rostedt <rostedt@×××××××.org>
622 +Cc: Clark Williams <williams@××××××.com>
623 +Cc: Paul McKenney <paulmck@××××××××××××××.com>
624 +Cc: Lai Jiangshan <laijs@××××××××××.com>
625 +Cc: Roland McGrath <roland@×××××××××.com>
626 +Cc: Carlos ODonell <carlos@××××××.com>
627 +Cc: Jakub Jelinek <jakub@××××××.com>
628 +Cc: Michael Kerrisk <mtk.manpages@×××××.com>
629 +Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
630 +Link: http://lkml.kernel.org/r/20140512201701.097349971@××××××××××.de
631 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
632 +Cc: stable@×××××××××××.org
633 +---
634 + kernel/futex.c | 47 ++++++++++++++++++++++++++++++++++-------------
635 + 1 file changed, 34 insertions(+), 13 deletions(-)
636 +
637 +Index: linux-3.12/kernel/futex.c
638 +===================================================================
639 +--- linux-3.12.orig/kernel/futex.c
640 ++++ linux-3.12/kernel/futex.c
641 +@@ -596,7 +596,8 @@ void exit_pi_state_list(struct task_stru
642 +
643 + static int
644 + lookup_pi_state(u32 uval, struct futex_hash_bucket *hb,
645 +- union futex_key *key, struct futex_pi_state **ps)
646 ++ union futex_key *key, struct futex_pi_state **ps,
647 ++ struct task_struct *task)
648 + {
649 + struct futex_pi_state *pi_state = NULL;
650 + struct futex_q *this, *next;
651 +@@ -640,6 +641,16 @@ lookup_pi_state(u32 uval, struct futex_h
652 + return -EINVAL;
653 + }
654 +
655 ++ /*
656 ++ * Protect against a corrupted uval. If uval
657 ++ * is 0x80000000 then pid is 0 and the waiter
658 ++ * bit is set. So the deadlock check in the
659 ++ * calling code has failed and we did not fall
660 ++ * into the check above due to !pid.
661 ++ */
662 ++ if (task && pi_state->owner == task)
663 ++ return -EDEADLK;
664 ++
665 + atomic_inc(&pi_state->refcount);
666 + *ps = pi_state;
667 +
668 +@@ -789,7 +800,7 @@ retry:
669 + * We dont have the lock. Look up the PI state (or create it if
670 + * we are the first waiter):
671 + */
672 +- ret = lookup_pi_state(uval, hb, key, ps);
673 ++ ret = lookup_pi_state(uval, hb, key, ps, task);
674 +
675 + if (unlikely(ret)) {
676 + switch (ret) {
677 +@@ -1199,7 +1210,7 @@ void requeue_pi_wake_futex(struct futex_
678 + *
679 + * Return:
680 + * 0 - failed to acquire the lock atomically;
681 +- * 1 - acquired the lock;
682 ++ * >0 - acquired the lock, return value is vpid of the top_waiter
683 + * <0 - error
684 + */
685 + static int futex_proxy_trylock_atomic(u32 __user *pifutex,
686 +@@ -1210,7 +1221,7 @@ static int futex_proxy_trylock_atomic(u3
687 + {
688 + struct futex_q *top_waiter = NULL;
689 + u32 curval;
690 +- int ret;
691 ++ int ret, vpid;
692 +
693 + if (get_futex_value_locked(&curval, pifutex))
694 + return -EFAULT;
695 +@@ -1238,11 +1249,13 @@ static int futex_proxy_trylock_atomic(u3
696 + * the contended case or if set_waiters is 1. The pi_state is returned
697 + * in ps in contended cases.
698 + */
699 ++ vpid = task_pid_vnr(top_waiter->task);
700 + ret = futex_lock_pi_atomic(pifutex, hb2, key2, ps, top_waiter->task,
701 + set_waiters);
702 +- if (ret == 1)
703 ++ if (ret == 1) {
704 + requeue_pi_wake_futex(top_waiter, key2, hb2);
705 +-
706 ++ return vpid;
707 ++ }
708 + return ret;
709 + }
710 +
711 +@@ -1274,7 +1287,6 @@ static int futex_requeue(u32 __user *uad
712 + struct futex_hash_bucket *hb1, *hb2;
713 + struct plist_head *head1;
714 + struct futex_q *this, *next;
715 +- u32 curval2;
716 +
717 + if (requeue_pi) {
718 + /*
719 +@@ -1360,16 +1372,25 @@ retry_private:
720 + * At this point the top_waiter has either taken uaddr2 or is
721 + * waiting on it. If the former, then the pi_state will not
722 + * exist yet, look it up one more time to ensure we have a
723 +- * reference to it.
724 ++ * reference to it. If the lock was taken, ret contains the
725 ++ * vpid of the top waiter task.
726 + */
727 +- if (ret == 1) {
728 ++ if (ret > 0) {
729 + WARN_ON(pi_state);
730 + drop_count++;
731 + task_count++;
732 +- ret = get_futex_value_locked(&curval2, uaddr2);
733 +- if (!ret)
734 +- ret = lookup_pi_state(curval2, hb2, &key2,
735 +- &pi_state);
736 ++ /*
737 ++ * If we acquired the lock, then the user
738 ++ * space value of uaddr2 should be vpid. It
739 ++ * cannot be changed by the top waiter as it
740 ++ * is blocked on hb2 lock if it tries to do
741 ++ * so. If something fiddled with it behind our
742 ++ * back the pi state lookup might unearth
743 ++ * it. So we rather use the known value than
744 ++ * rereading and handing potential crap to
745 ++ * lookup_pi_state.
746 ++ */
747 ++ ret = lookup_pi_state(ret, hb2, &key2, &pi_state, NULL);
748 + }
749 +
750 + switch (ret) {
751
752 Added: genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch
753 ===================================================================
754 --- genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch (rev 0)
755 +++ genpatches-2.6/trunk/3.14/1502-futex-prevent-attaching-to-kernel-threads.patch 2014-06-05 23:59:56 UTC (rev 2808)
756 @@ -0,0 +1,52 @@
757 +From: Thomas Gleixner <tglx@××××××××××.de>
758 +Date: Mon, 12 May 2014 20:45:35 +0000
759 +Subject: futex: Prevent attaching to kernel threads
760 +Git-commit: f0d71b3dcb8332f7971b5f2363632573e6d9486a
761 +
762 +We happily allow userspace to declare a random kernel thread to be the
763 +owner of a user space PI futex.
764 +
765 +Found while analysing the fallout of Dave Jones syscall fuzzer.
766 +
767 +We also should validate the thread group for private futexes and find
768 +some fast way to validate whether the "alleged" owner has RW access on
769 +the file which backs the SHM, but that's a separate issue.
770 +
771 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
772 +Cc: Dave Jones <davej@××××××.com>
773 +Cc: Linus Torvalds <torvalds@××××××××××××××××.org>
774 +Cc: Peter Zijlstra <peterz@×××××××××.org>
775 +Cc: Darren Hart <darren@××××××.com>
776 +Cc: Davidlohr Bueso <davidlohr@××.com>
777 +Cc: Steven Rostedt <rostedt@×××××××.org>
778 +Cc: Clark Williams <williams@××××××.com>
779 +Cc: Paul McKenney <paulmck@××××××××××××××.com>
780 +Cc: Lai Jiangshan <laijs@××××××××××.com>
781 +Cc: Roland McGrath <roland@×××××××××.com>
782 +Cc: Carlos ODonell <carlos@××××××.com>
783 +Cc: Jakub Jelinek <jakub@××××××.com>
784 +Cc: Michael Kerrisk <mtk.manpages@×××××.com>
785 +Cc: Sebastian Andrzej Siewior <bigeasy@××××××××××.de>
786 +Link: http://lkml.kernel.org/r/20140512201701.194824402@××××××××××.de
787 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
788 +Cc: stable@×××××××××××.org
789 +---
790 + kernel/futex.c | 5 +++++
791 + 1 file changed, 5 insertions(+)
792 +
793 +Index: linux-3.12/kernel/futex.c
794 +===================================================================
795 +--- linux-3.12.orig/kernel/futex.c
796 ++++ linux-3.12/kernel/futex.c
797 +@@ -668,6 +668,11 @@ lookup_pi_state(u32 uval, struct futex_h
798 + if (!p)
799 + return -ESRCH;
800 +
801 ++ if (!p->mm) {
802 ++ put_task_struct(p);
803 ++ return -EPERM;
804 ++ }
805 ++
806 + /*
807 + * We need to look at the task state flags to figure out,
808 + * whether the task is exiting. To protect against the do_exit
809
810 Added: genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch
811 ===================================================================
812 --- genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch (rev 0)
813 +++ genpatches-2.6/trunk/3.14/1503-futex-prevent-requeue-pi-on-same-futex-patch-futex-forbid-uaddr-uaddr2-in-futex_requeue-requeue_pi-1.patch 2014-06-05 23:59:56 UTC (rev 2808)
814 @@ -0,0 +1,81 @@
815 +From: Thomas Gleixner <tglx@××××××××××.de>
816 +Date: Tue, 3 Jun 2014 12:27:06 +0000
817 +Subject: futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
818 + uaddr2 in futex_requeue(..., requeue_pi=1)
819 +Git-commit: e9c243a5a6de0be8e584c604d353412584b592f8
820 +
821 +If uaddr == uaddr2, then we have broken the rule of only requeueing from
822 +a non-pi futex to a pi futex with this call. If we attempt this, then
823 +dangling pointers may be left for rt_waiter resulting in an exploitable
824 +condition.
825 +
826 +This change brings futex_requeue() in line with futex_wait_requeue_pi()
827 +which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
828 +uaddr == uaddr2 in futex_wait_requeue_pi()")
829 +
830 +[ tglx: Compare the resulting keys as well, as uaddrs might be
831 + different depending on the mapping ]
832 +
833 +Fixes CVE-2014-3153.
834 +
835 +Reported-by: Pinkie Pie
836 +Signed-off-by: Will Drewry <wad@××××××××.org>
837 +Signed-off-by: Kees Cook <keescook@××××××××.org>
838 +Cc: stable@×××××××××××.org
839 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
840 +Reviewed-by: Darren Hart <dvhart@×××××××××××.com>
841 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
842 +---
843 + kernel/futex.c | 25 +++++++++++++++++++++++++
844 + 1 file changed, 25 insertions(+)
845 +
846 +Index: linux-3.12/kernel/futex.c
847 +===================================================================
848 +--- linux-3.12.orig/kernel/futex.c
849 ++++ linux-3.12/kernel/futex.c
850 +@@ -1295,6 +1295,13 @@ static int futex_requeue(u32 __user *uad
851 +
852 + if (requeue_pi) {
853 + /*
854 ++ * Requeue PI only works on two distinct uaddrs. This
855 ++ * check is only valid for private futexes. See below.
856 ++ */
857 ++ if (uaddr1 == uaddr2)
858 ++ return -EINVAL;
859 ++
860 ++ /*
861 + * requeue_pi requires a pi_state, try to allocate it now
862 + * without any locks in case it fails.
863 + */
864 +@@ -1332,6 +1339,15 @@ retry:
865 + if (unlikely(ret != 0))
866 + goto out_put_key1;
867 +
868 ++ /*
869 ++ * The check above which compares uaddrs is not sufficient for
870 ++ * shared futexes. We need to compare the keys:
871 ++ */
872 ++ if (requeue_pi && match_futex(&key1, &key2)) {
873 ++ ret = -EINVAL;
874 ++ goto out_put_keys;
875 ++ }
876 ++
877 + hb1 = hash_futex(&key1);
878 + hb2 = hash_futex(&key2);
879 +
880 +@@ -2362,6 +2378,15 @@ static int futex_wait_requeue_pi(u32 __u
881 + if (ret)
882 + goto out_key2;
883 +
884 ++ /*
885 ++ * The check above which compares uaddrs is not sufficient for
886 ++ * shared futexes. We need to compare the keys:
887 ++ */
888 ++ if (match_futex(&q.key, &key2)) {
889 ++ ret = -EINVAL;
890 ++ goto out_put_keys;
891 ++ }
892 ++
893 + /* Queue the futex_q, drop the hb lock, wait for wakeup. */
894 + futex_wait_queue_me(hb, &q, to);
895 +
896
897 Added: genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch
898 ===================================================================
899 --- genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch (rev 0)
900 +++ genpatches-2.6/trunk/3.14/1504-futex-validate-atomic-acquisition-in-futex_lock_pi_atomic.patch 2014-06-05 23:59:56 UTC (rev 2808)
901 @@ -0,0 +1,53 @@
902 +From: Thomas Gleixner <tglx@××××××××××.de>
903 +Date: Tue, 3 Jun 2014 12:27:06 +0000
904 +Subject: futex: Validate atomic acquisition in futex_lock_pi_atomic()
905 +Git-commit: b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
906 +
907 +We need to protect the atomic acquisition in the kernel against rogue
908 +user space which sets the user space futex to 0, so the kernel side
909 +acquisition succeeds while there is existing state in the kernel
910 +associated to the real owner.
911 +
912 +Verify whether the futex has waiters associated with kernel state. If
913 +it has, return -EINVAL. The state is corrupted already, so no point in
914 +cleaning it up. Subsequent calls will fail as well. Not our problem.
915 +
916 +[ tglx: Use futex_top_waiter() and explain why we do not need to try
917 + restoring the already corrupted user space state. ]
918 +
919 +Signed-off-by: Darren Hart <dvhart@×××××××××××.com>
920 +Cc: Kees Cook <keescook@××××××××.org>
921 +Cc: Will Drewry <wad@××××××××.org>
922 +Cc: stable@×××××××××××.org
923 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
924 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
925 +---
926 + kernel/futex.c | 14 +++++++++++---
927 + 1 file changed, 11 insertions(+), 3 deletions(-)
928 +
929 +Index: linux-3.12/kernel/futex.c
930 +===================================================================
931 +--- linux-3.12.orig/kernel/futex.c
932 ++++ linux-3.12/kernel/futex.c
933 +@@ -764,10 +764,18 @@ retry:
934 + return -EDEADLK;
935 +
936 + /*
937 +- * Surprise - we got the lock. Just return to userspace:
938 ++ * Surprise - we got the lock, but we do not trust user space at all.
939 + */
940 +- if (unlikely(!curval))
941 +- return 1;
942 ++ if (unlikely(!curval)) {
943 ++ /*
944 ++ * We verify whether there is kernel state for this
945 ++ * futex. If not, we can safely assume, that the 0 ->
946 ++ * TID transition is correct. If state exists, we do
947 ++ * not bother to fixup the user space state as it was
948 ++ * corrupted already.
949 ++ */
950 ++ return futex_top_waiter(hb, key) ? -EINVAL : 1;
951 ++ }
952 +
953 + uval = curval;
954 +
955
956 Added: genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch
957 ===================================================================
958 --- genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch (rev 0)
959 +++ genpatches-2.6/trunk/3.14/1505-futex-always-cleanup-owner-tid-in-unlock_pi.patch 2014-06-05 23:59:56 UTC (rev 2808)
960 @@ -0,0 +1,99 @@
961 +From: Thomas Gleixner <tglx@××××××××××.de>
962 +Date: Tue, 3 Jun 2014 12:27:07 +0000
963 +Subject: futex: Always cleanup owner tid in unlock_pi
964 +Git-commit: 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
965 +
966 +If the owner died bit is set at futex_unlock_pi, we currently do not
967 +cleanup the user space futex. So the owner TID of the current owner
968 +(the unlocker) persists. That's observable inconsistant state,
969 +especially when the ownership of the pi state got transferred.
970 +
971 +Clean it up unconditionally.
972 +
973 +Signed-off-by: Thomas Gleixner <tglx@××××××××××.de>
974 +Cc: Kees Cook <keescook@××××××××.org>
975 +Cc: Will Drewry <wad@××××××××.org>
976 +Cc: Darren Hart <dvhart@×××××××××××.com>
977 +Cc: stable@×××××××××××.org
978 +Signed-off-by: Linus Torvalds <torvalds@××××××××××××××××.org>
979 +---
980 + kernel/futex.c | 40 ++++++++++++++++++----------------------
981 + 1 file changed, 18 insertions(+), 22 deletions(-)
982 +
983 +Index: linux-3.12/kernel/futex.c
984 +===================================================================
985 +--- linux-3.12.orig/kernel/futex.c
986 ++++ linux-3.12/kernel/futex.c
987 +@@ -905,6 +905,7 @@ static int wake_futex_pi(u32 __user *uad
988 + struct task_struct *new_owner;
989 + struct futex_pi_state *pi_state = this->pi_state;
990 + u32 uninitialized_var(curval), newval;
991 ++ int ret = 0;
992 +
993 + if (!pi_state)
994 + return -EINVAL;
995 +@@ -928,23 +929,19 @@ static int wake_futex_pi(u32 __user *uad
996 + new_owner = this->task;
997 +
998 + /*
999 +- * We pass it to the next owner. (The WAITERS bit is always
1000 +- * kept enabled while there is PI state around. We must also
1001 +- * preserve the owner died bit.)
1002 +- */
1003 +- if (!(uval & FUTEX_OWNER_DIED)) {
1004 +- int ret = 0;
1005 +-
1006 +- newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
1007 +-
1008 +- if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
1009 +- ret = -EFAULT;
1010 +- else if (curval != uval)
1011 +- ret = -EINVAL;
1012 +- if (ret) {
1013 +- raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
1014 +- return ret;
1015 +- }
1016 ++ * We pass it to the next owner. The WAITERS bit is always
1017 ++ * kept enabled while there is PI state around. We cleanup the
1018 ++ * owner died bit, because we are the owner.
1019 ++ */
1020 ++ newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
1021 ++
1022 ++ if (cmpxchg_futex_value_locked(&curval, uaddr, uval, newval))
1023 ++ ret = -EFAULT;
1024 ++ else if (curval != uval)
1025 ++ ret = -EINVAL;
1026 ++ if (ret) {
1027 ++ raw_spin_unlock(&pi_state->pi_mutex.wait_lock);
1028 ++ return ret;
1029 + }
1030 +
1031 + raw_spin_lock_irq(&pi_state->owner->pi_lock);
1032 +@@ -2189,9 +2186,10 @@ retry:
1033 + /*
1034 + * To avoid races, try to do the TID -> 0 atomic transition
1035 + * again. If it succeeds then we can return without waking
1036 +- * anyone else up:
1037 ++ * anyone else up. We only try this if neither the waiters nor
1038 ++ * the owner died bit are set.
1039 + */
1040 +- if (!(uval & FUTEX_OWNER_DIED) &&
1041 ++ if (!(uval & ~FUTEX_TID_MASK) &&
1042 + cmpxchg_futex_value_locked(&uval, uaddr, vpid, 0))
1043 + goto pi_faulted;
1044 + /*
1045 +@@ -2223,11 +2221,9 @@ retry:
1046 + /*
1047 + * No waiters - kernel unlocks the futex:
1048 + */
1049 +- if (!(uval & FUTEX_OWNER_DIED)) {
1050 +- ret = unlock_futex_pi(uaddr, uval);
1051 +- if (ret == -EFAULT)
1052 +- goto pi_faulted;
1053 +- }
1054 ++ ret = unlock_futex_pi(uaddr, uval);
1055 ++ if (ret == -EFAULT)
1056 ++ goto pi_faulted;
1057 +
1058 + out_unlock:
1059 + spin_unlock(&hb->lock);
1060
1061 Added: genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch
1062 ===================================================================
1063 (Binary files differ)
1064
1065 Index: genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch
1066 ===================================================================
1067 --- genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 22:22:47 UTC (rev 2807)
1068 +++ genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch 2014-06-05 23:59:56 UTC (rev 2808)
1069
1070 Property changes on: genpatches-2.6/trunk/3.14/1506-futex-make-lookup_pi_state-more-robust.patch
1071 ___________________________________________________________________
1072 Added: svn:mime-type
1073 ## -0,0 +1 ##
1074 +message/rfc822
1075 \ No newline at end of property
Report Message
Find on MARC Find on Google Groups