| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 21 Jul 2023 12:22:41 +0200
From: Peter Zijlstra <peterz@...radead.org>
To: tglx@...utronix.de, axboe@...nel.dk
Cc: linux-kernel@...r.kernel.org, peterz@...radead.org,
mingo@...hat.com, dvhart@...radead.org, dave@...olabs.net,
andrealmeid@...lia.com, Andrew Morton <akpm@...ux-foundation.org>,
urezki@...il.com, hch@...radead.org, lstoakes@...il.com,
Arnd Bergmann <arnd@...db.de>, linux-api@...r.kernel.org,
linux-mm@...ck.org, linux-arch@...r.kernel.org,
malteskarupke@....de
Subject: [PATCH v1 04/14] futex: Validate futex value against futex size
Ensure the futex value fits in the given futex size. Since this adds a
constraint to an existing syscall, it might possibly change behaviour.
Currently the value would be truncated to a u32 and any high bits
would get silently lost.
Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
---
kernel/futex/futex.h | 8 ++++++++
kernel/futex/syscalls.c | 3 +++
2 files changed, 11 insertions(+)
--- a/kernel/futex/futex.h
+++ b/kernel/futex/futex.h
@@ -86,6 +86,14 @@ static inline unsigned int futex_size(un
return 1 << size; /* {0,1,2,3} -> {1,2,4,8} */
}
+static inline bool futex_validate_input(unsigned int flags, u64 val)
+{
+ int bits = 8 * futex_size(flags);
+ if (bits < 64 && (val >> bits))
+ return false;
+ return true;
+}
+
#ifdef CONFIG_FAIL_FUTEX
extern bool should_fail_futex(bool fshared);
#else
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -209,6 +209,9 @@ static int futex_parse_waitv(struct fute
if (!futex_flags_valid(flags))
return -EINVAL;
+ if (!futex_validate_input(flags, aux.val))
+ return -EINVAL;
+
futexv[i].w.flags = flags;
futexv[i].w.val = aux.val;
futexv[i].w.uaddr = aux.uaddr;
Powered by blists - more mailing lists