diff options
| author | Thomas Gleixner <[email protected]> | 2014-06-03 12:27:06 +0000 |
|---|---|---|
| committer | Linus Torvalds <[email protected]> | 2014-06-05 19:31:07 +0000 |
| commit | e9c243a5a6de0be8e584c604d353412584b592f8 (patch) | |
| tree | 228ae282b2b06a966606540190411ea90ffe35c7 /tools/perf/scripts/python/net_dropmonitor.py | |
| parent | Linux 3.15-rc8 (diff) | |
| download | kernel-e9c243a5a6de0be8e584c604d353412584b592f8.tar.gz kernel-e9c243a5a6de0be8e584c604d353412584b592f8.zip | |
futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)
If uaddr == uaddr2, then we have broken the rule of only requeueing from
a non-pi futex to a pi futex with this call. If we attempt this, then
dangling pointers may be left for rt_waiter resulting in an exploitable
condition.
This change brings futex_requeue() in line with futex_wait_requeue_pi()
which performs the same check as per commit 6f7b0a2a5c0f ("futex: Forbid
uaddr == uaddr2 in futex_wait_requeue_pi()")
[ tglx: Compare the resulting keys as well, as uaddrs might be
different depending on the mapping ]
Fixes CVE-2014-3153.
Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <[email protected]>
Signed-off-by: Kees Cook <[email protected]>
Cc: [email protected]
Signed-off-by: Thomas Gleixner <[email protected]>
Reviewed-by: Darren Hart <[email protected]>
Signed-off-by: Linus Torvalds <[email protected]>
Diffstat (limited to 'tools/perf/scripts/python/net_dropmonitor.py')
0 files changed, 0 insertions, 0 deletions