Patchwork [hardy,CVE,2/2] futex: Nullify robust lists after cleanup

login
register
mail settings
Submitter Andy Whitcroft
Date Feb. 8, 2012, 7:14 p.m.
Message ID <1328728458-5828-3-git-send-email-apw@canonical.com>
Download mbox | patch
Permalink /patch/140194/
State New
Headers show

Comments

Andy Whitcroft - Feb. 8, 2012, 7:14 p.m.
From: Peter Zijlstra <peterz@infradead.org>

The robust list pointers of user space held futexes are kept intact
over an exec() call. When the exec'ed task exits exit_robust_list() is
called with the stale pointer. The risk of corruption is minimal, but
still it is incorrect to keep the pointers valid. Actually glibc
should uninstall the robust list before calling exec() but we have to
deal with it anyway.

Nullify the pointers after [compat_]exit_robust_list() has been
called.

Reported-by: Anirban Sinha <ani@anirban.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
LKML-Reference: <new-submission>
Cc: stable@kernel.org

(cherry picked from commit fc6b177dee33365ccb29fe6d2092223cf8d679f9)
CVE-2012-0028
BugLink: http://bugs.launchpad.net/bugs/927889
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 kernel/fork.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

Patch

diff --git a/kernel/fork.c b/kernel/fork.c
index 3106adb..5b3e5e2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -461,11 +461,15 @@  void mm_release(struct task_struct *tsk, struct mm_struct *mm)
 
 	/* Get rid of any futexes when releasing the mm */
 #ifdef CONFIG_FUTEX
-	if (unlikely(tsk->robust_list))
+	if (unlikely(tsk->robust_list)) {
 		exit_robust_list(tsk);
+		tsk->robust_list = NULL;
+	}
 #ifdef CONFIG_COMPAT
-	if (unlikely(tsk->compat_robust_list))
+	if (unlikely(tsk->compat_robust_list)) {
 		compat_exit_robust_list(tsk);
+		tsk->compat_robust_list = NULL;
+	}
 #endif
 #endif