From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org,
torvalds@linux-foundation.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
arnd@arndb.de, davem@davemloft.net, tglx@linutronix.de,
mingo@elte.hu
Subject: [25/50] futex_compat: fix list traversal bugs
Date: Mon, 24 Sep 2007 09:21:22 -0700 [thread overview]
Message-ID: <20070924162122.GZ13510@kroah.com> (raw)
In-Reply-To: <20070924161733.GA13510@kroah.com>
[-- Attachment #1: futex_compat-fix-list-traversal-bugs.patch --]
[-- Type: text/plain, Size: 1926 bytes --]
From: Arnd Bergmann <arnd@arndb.de>
commit 179c85ea53bef807621f335767e41e23f86f01df in mainline.
The futex list traversal on the compat side appears to have
a bug.
It's loop termination condition compares:
while (compat_ptr(uentry) != &head->list)
But that can't be right because "uentry" has the special
"pi" indicator bit still potentially set at bit 0. This
is cleared by fetch_robust_entry() into the "entry"
return value.
What this seems to mean is that the list won't terminate
when list iteration gets back to the the head. And we'll
also process the list head like a normal entry, which could
cause all kinds of problems.
So we should check for equality with "entry". That pointer
is of the non-compat type so we have to do a little casting
to keep the compiler and sparse happy.
The same problem can in theory occur with the 'pending'
variable, although that has not been reported from users
so far.
Based on the original patch from David Miller.
Acked-by: Ingo Molnar <mingo@elte.hu>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: David Miller <davem@davemloft.net>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
kernel/futex_compat.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/kernel/futex_compat.c
+++ b/kernel/futex_compat.c
@@ -61,10 +61,10 @@ void compat_exit_robust_list(struct task
if (fetch_robust_entry(&upending, &pending,
&head->list_op_pending, &pip))
return;
- if (upending)
+ if (pending)
handle_futex_death((void __user *)pending + futex_offset, curr, pip);
- while (compat_ptr(uentry) != &head->list) {
+ while (entry != (struct robust_list __user *) &head->list) {
/*
* A pending lock might already be on the list, so
* dont process it twice:
--
next prev parent reply other threads:[~2007-09-24 16:33 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20070924161246.983665021@mini.kroah.org>
2007-09-24 16:17 ` [00/50] 2.6.22-stable review Greg KH
2007-09-24 16:19 ` [01/50] V4L: ivtv: fix VIDIOC_S_FBUF: new OSD values were never set Greg KH
2007-09-24 16:19 ` [02/50] DVB: get_dvb_firmware: update script for new location of sp8870 firmware Greg KH
2007-09-24 16:19 ` [03/50] DVB: get_dvb_firmware: update script for new location of tda10046 firmware Greg KH
2007-09-24 16:19 ` [04/50] DVB: b2c2-flexcop: fix Airstar HD5000 tuning regression Greg KH
2007-09-24 16:20 ` [05/50] setpgid(child) fails if the child was forked by sub-thread Greg KH
2007-09-24 16:20 ` [06/50] sigqueue_free: fix the race with collect_signal() Greg KH
2007-09-24 16:20 ` [07/50] kconfig: oldconfig shall not set symbols if it does not need to Greg KH
2007-09-24 16:20 ` [08/50] MTD: Makefile fix for mtdsuper Greg KH
2007-09-24 16:20 ` [09/50] USB: fix linked list insertion bugfix for usb core Greg KH
2007-09-24 16:20 ` [10/50] ACPI: Validate XSDT, use RSDT if XSDT fails Greg KH
2007-09-24 16:20 ` [11/50] POWERPC: Flush registers to proper task context Greg KH
2007-09-24 16:20 ` [12/50] 3w-9xxx: Fix dma mask setting Greg KH
2007-09-24 16:20 ` [13/50] MTD: Initialise s_flags in get_sb_mtd_aux() Greg KH
2007-09-24 16:20 ` [14/50] JFFS2: fix write deadlock regression Greg KH
2007-09-24 16:20 ` [15/50] V4L: cx88: Avoid a NULL pointer dereference during mpeg_open() Greg KH
2007-09-24 16:20 ` [16/50] hwmon: End of I/O region off-by-one Greg KH
2007-09-24 16:20 ` [17/50] Fix debug regression in video/pwc Greg KH
2007-09-24 16:20 ` [18/50] splice: fix direct splice error handling Greg KH
2007-09-24 16:21 ` [19/50] rpc: fix garbage in printk in svc_tcp_accept() Greg KH
2007-09-24 16:21 ` [20/50] disable sys_timerfd() Greg KH
2007-09-24 16:21 ` [21/50] afs: mntput called before dput Greg KH
2007-09-24 16:21 ` [22/50] Fix DAC960 driver on machines which dont support 64-bit DMA Greg KH
2007-09-24 16:21 ` [23/50] Fix "Fix DAC960 driver on machines which dont support 64-bit DMA" Greg KH
2007-09-24 16:21 ` [24/50] firewire: fw-ohci: ignore failure of pci_set_power_state (fix suspend regression) Greg KH
2007-09-24 16:21 ` Greg KH [this message]
2007-09-24 16:21 ` [26/50] Leases can be hidden by flocks Greg KH
2007-09-24 16:21 ` [27/50] ext34: ensure do_split leaves enough free space in both blocks Greg KH
2007-09-24 16:21 ` [28/50] nfs: fix oops re sysctls and V4 support Greg KH
2007-09-24 16:21 ` [29/50] dir_index: error out instead of BUG on corrupt dx dirs Greg KH
2007-09-24 16:21 ` [30/50] ieee1394: ohci1394: fix initialization if built non-modular Greg KH
2007-09-24 16:21 ` [31/50] Correctly close old nfsd/lockd sockets Greg KH
2007-09-24 16:21 ` [32/50] Fix race with shared tag queue maps Greg KH
2007-09-24 16:21 ` [33/50] crypto: blkcipher_get_spot() handling of buffer at end of page Greg KH
2007-09-24 16:21 ` [34/50] fix realtek phy id in forcedeth Greg KH
2007-09-24 16:21 ` [35/50] Fix decnet device address listing Greg KH
2007-09-24 16:22 ` [36/50] Fix device address listing for ipv4 Greg KH
2007-09-24 16:22 ` [37/50] Fix inet_diag OOPS Greg KH
2007-09-24 22:03 ` Dan Merillat
2007-09-25 4:03 ` Patrick McHardy
2007-09-24 16:22 ` [38/50] Fix IPV6 append OOPS Greg KH
2007-09-24 16:22 ` [39/50] Fix IPSEC AH4 options handling Greg KH
2007-09-24 16:22 ` [40/50] Fix ipv6 double-sock-release with MSG_CONFIRM Greg KH
2007-09-24 16:22 ` [41/50] : Fix IPV6 DAD handling Greg KH
2007-09-24 16:22 ` [42/50] Fix ipv6 source address handling Greg KH
2007-09-24 22:05 ` roel
2007-09-24 16:22 ` [43/50] Fix oops in vlan and bridging code Greg KH
2007-09-24 16:22 ` [44/50] Fix tc_ematch kbuild Greg KH
2007-09-24 16:22 ` [45/50] Handle snd_una in tcp_cwnd_down() Greg KH
2007-09-24 16:22 ` [46/50] Fix TCP DSACK cwnd handling Greg KH
2007-09-24 16:22 ` [47/50] Fix datagram recvmsg NULL iov handling regression Greg KH
2007-09-24 16:22 ` [48/50] Fix pktgen src_mac handling Greg KH
2007-09-24 16:22 ` [49/50] Fix sparc64 v100 platform booting Greg KH
2007-09-24 16:22 ` [50/50] bcm43xx: Fix cancellation of work queue crashes Greg KH
2007-09-24 16:31 ` [00/50] 2.6.22-stable review Greg KH
2007-09-24 16:44 ` Chris Wedgwood
2007-09-24 16:46 ` Chris Wedgwood
2007-09-24 17:14 ` Greg KH
2007-09-24 17:13 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070924162122.GZ13510@kroah.com \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=arnd@arndb.de \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox