From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Google-Smtp-Source: AH8x224mHH4ixS9w5dg8VpFg1oW5bd/zWPpqF/KzMmEdL6csh+uhE2rfL3ipWt58ceXUkC3DdJuD ARC-Seal: i=1; a=rsa-sha256; t=1516611047; cv=none; d=google.com; s=arc-20160816; b=ufD5RztgNJxYP349SEaX8768OU5Km2Kl4IeYBBcd16VX114wqFazWyixs4D18mX3L2 6zb8N6axXXLvO4IvpSYxsj7RQz86PR9TyRjQB7yiBdNE/eMhgA9DMkK+sNtU/8feAr1v XilsVdK+eS2FwG3jbvsc0SBizC/a8EGmaDdKOJlqVPGrskSe3ufT5rAqdId/0hWpm0R0 7tNd0AoeRdsdwXMQtGIUO4L/mN4y+HgaZJu5MImCiFpN1eQglcLOjt3g2Bvai+CZ4wgH Ys/ai2wnlpxSy1WkQfkX1LLXfxEVpkK+WhB8uNeKhEWAzQMNYorBAjWSvIQMtDiIzrA1 4DiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=mime-version:user-agent:references:in-reply-to:message-id:date :subject:cc:to:from:arc-authentication-results; bh=ybncpGW6cogxRXtfWpWDXPng644GcvucEoNJXiNtSpw=; b=ureLL+fTTSTCz/+slfnk34K/8EEnZR9M2OGtzaDlZNrcBTdqirhoFQpwbKeP6NbxmY tYGXXdGL5nJTsDi0pzYForbJOX17PNBWsn0K57+Qf0ZvJdpnl+OBFo79eX7Jvs3vne0F RhmMQ79zubloRIxtIbRp7K8mdBu7/9bqYVto9nlRHEI5zJTejbUwNdfifn9CWlMoaoWg Tq58DBSG7gWUKZJVqbQREigXpbhhqJp6mJ379hdtIwwT0nHc5yanz1XLLNuaC0la4jIt QeYYueUSrYSbw78vfG2zTPdF2b2UH+wKg9iHQKnpzDwK56g6iC5w3fXUZdYpIUGRJGts 4QmQ== ARC-Authentication-Results: i=1; mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org Authentication-Results: mx.google.com; spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Li Jinyue , Thomas Gleixner , peterz@infradead.org, dvhart@infradead.org Subject: [PATCH 4.14 17/89] futex: Prevent overflow by strengthen input validation Date: Mon, 22 Jan 2018 09:44:57 +0100 Message-Id: <20180122083956.427607580@linuxfoundation.org> X-Mailer: git-send-email 2.16.0 In-Reply-To: <20180122083954.683903493@linuxfoundation.org> References: <20180122083954.683903493@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?= X-GMAIL-THRID: =?utf-8?q?1590281365405131555?= X-GMAIL-MSGID: =?utf-8?q?1590281945427761883?= X-Mailing-List: linux-kernel@vger.kernel.org List-ID: 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Li Jinyue commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream. UBSAN reports signed integer overflow in kernel/futex.c: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' Add a sanity check to catch negative values of nr_wake and nr_requeue. Signed-off-by: Li Jinyue Signed-off-by: Thomas Gleixner Cc: peterz@infradead.org Cc: dvhart@infradead.org Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com Signed-off-by: Greg Kroah-Hartman --- kernel/futex.c | 3 +++ 1 file changed, 3 insertions(+) --- a/kernel/futex.c +++ b/kernel/futex.c @@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uad struct futex_q *this, *next; DEFINE_WAKE_Q(wake_q); + if (nr_wake < 0 || nr_requeue < 0) + return -EINVAL; + /* * When PI not supported: return -ENOSYS if requeue_pi is true, * consequently the compiler knows requeue_pi is always false past