From: Jerome Marchand <jmarchan@redhat.com> Date: Fri, 12 Feb 2010 16:20:55 -0500 Subject: [misc] futex: handle futex value corruption gracefully Message-id: <4B757FE7.1050604@redhat.com> Patchwork-id: 23254 O-Subject: [RHEL5 PATCH 3/3] futex: Handle futex value corruption gracefully Bugzilla: 480396 CVE: CVE-2010-0622 RH-Acked-by: Jarod Wilson <jarod@redhat.com> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=480396 Description: This correct a bogus warning about what is in fact user space corruption. Return EINVAL instead and let user space deal with it. Upstream status: commit 59647b6ac3050dd964bc556fe6ef22f4db5b935c Signed-off-by: Jarod Wilson <jarod@redhat.com> diff --git a/kernel/futex.c b/kernel/futex.c index 53d0a14..5724b36 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -532,8 +532,25 @@ lookup_pi_state(u32 uval, struct futex_hash_bucket *hb, struct futex_q *me) return -EINVAL; WARN_ON(!atomic_read(&pi_state->refcount)); - WARN_ON(pid && pi_state->owner && - pi_state->owner->pid != pid); + + /* + * When pi_state->owner is NULL then the owner died + * and another waiter is on the fly. pi_state->owner + * is fixed up by the task which acquires + * pi_state->rt_mutex. + * + * We do not check for pid == 0 which can happen when + * the owner died and robust_list_exit() cleared the + * TID. + */ + if (pid && pi_state->owner) { + /* + * Bail out if user space manipulated the + * futex value. + */ + if (pid != pi_state->owner->pid) + return -EINVAL; + } atomic_inc(&pi_state->refcount); me->pi_state = pi_state;