From patchwork Wed Feb 8 19:14:18 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: [hardy,CVE,2/2] futex: Nullify robust lists after cleanup Date: Wed, 08 Feb 2012 09:14:18 -0000 From: Andy Whitcroft X-Patchwork-Id: 140194 Message-Id: <1328728458-5828-3-git-send-email-apw@canonical.com> To: kernel-team@lists.ubuntu.com Cc: Andy Whitcroft From: Peter Zijlstra The robust list pointers of user space held futexes are kept intact over an exec() call. When the exec'ed task exits exit_robust_list() is called with the stale pointer. The risk of corruption is minimal, but still it is incorrect to keep the pointers valid. Actually glibc should uninstall the robust list before calling exec() but we have to deal with it anyway. Nullify the pointers after [compat_]exit_robust_list() has been called. Reported-by: Anirban Sinha Signed-off-by: Peter Zijlstra Signed-off-by: Thomas Gleixner LKML-Reference: Cc: stable@kernel.org (cherry picked from commit fc6b177dee33365ccb29fe6d2092223cf8d679f9) CVE-2012-0028 BugLink: http://bugs.launchpad.net/bugs/927889 Signed-off-by: Andy Whitcroft --- kernel/fork.c | 8 ++++++-- 1 files changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel/fork.c b/kernel/fork.c index 3106adb..5b3e5e2 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -461,11 +461,15 @@ void mm_release(struct task_struct *tsk, struct mm_struct *mm) /* Get rid of any futexes when releasing the mm */ #ifdef CONFIG_FUTEX - if (unlikely(tsk->robust_list)) + if (unlikely(tsk->robust_list)) { exit_robust_list(tsk); + tsk->robust_list = NULL; + } #ifdef CONFIG_COMPAT - if (unlikely(tsk->compat_robust_list)) + if (unlikely(tsk->compat_robust_list)) { compat_exit_robust_list(tsk); + tsk->compat_robust_list = NULL; + } #endif #endif