| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20230728164235.1318118-5-axboe@kernel.dk>
Date: Fri, 28 Jul 2023 10:42:27 -0600
From: Jens Axboe <axboe@...nel.dk>
To: io-uring@...r.kernel.org, linux-kernel@...r.kernel.org
Cc: peterz@...radead.org, andres@...razel.de, tglx@...utronix.de,
Jens Axboe <axboe@...nel.dk>
Subject: [PATCH 04/12] futex: Validate futex value against futex size
From: Peter Zijlstra <peterz@...radead.org>
Ensure the futex value fits in the given futex size. Since this adds a
constraint to an existing syscall, it might possibly change behaviour.
Currently the value would be truncated to a u32 and any high bits
would get silently lost.
Signed-off-by: Peter Zijlstra (Intel) <peterz@...radead.org>
Signed-off-by: Jens Axboe <axboe@...nel.dk>
---
kernel/futex/futex.h | 8 ++++++++
kernel/futex/syscalls.c | 3 +++
2 files changed, 11 insertions(+)
diff --git a/kernel/futex/futex.h b/kernel/futex/futex.h
index c0e04599904a..d0a43d751e30 100644
--- a/kernel/futex/futex.h
+++ b/kernel/futex/futex.h
@@ -86,6 +86,14 @@ static inline unsigned int futex_size(unsigned int flags)
return 1 << size; /* {0,1,2,3} -> {1,2,4,8} */
}
+static inline bool futex_validate_input(unsigned int flags, u64 val)
+{
+ int bits = 8 * futex_size(flags);
+ if (bits < 64 && (val >> bits))
+ return false;
+ return true;
+}
+
#ifdef CONFIG_FAIL_FUTEX
extern bool should_fail_futex(bool fshared);
#else
diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c
index 36824b64219a..d2b2bcf2a665 100644
--- a/kernel/futex/syscalls.c
+++ b/kernel/futex/syscalls.c
@@ -209,6 +209,9 @@ static int futex_parse_waitv(struct futex_vector *futexv,
if (!futex_flags_valid(flags))
return -EINVAL;
+ if (!futex_validate_input(flags, aux.val))
+ return -EINVAL;
+
futexv[i].w.flags = flags;
futexv[i].w.val = aux.val;
futexv[i].w.uaddr = aux.uaddr;
--
2.40.1
Powered by blists - more mailing lists