diff mbox

[hardy,CVE,2/2] futex: Nullify robust lists after cleanup

Message ID 1328728458-5828-3-git-send-email-apw@canonical.com
State New
Headers show

Commit Message

Andy Whitcroft Feb. 8, 2012, 7:14 p.m. UTC 
From: Peter Zijlstra <peterz@infradead.org>

The robust list pointers of user space held futexes are kept intact
over an exec() call. When the exec'ed task exits exit_robust_list() is
called with the stale pointer. The risk of corruption is minimal, but
still it is incorrect to keep the pointers valid. Actually glibc
should uninstall the robust list before calling exec() but we have to
deal with it anyway.

Nullify the pointers after [compat_]exit_robust_list() has been
called.

Reported-by: Anirban Sinha <ani@anirban.org>
Signed-off-by: Peter Zijlstra <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
LKML-Reference: <new-submission>
Cc: stable@kernel.org

(cherry picked from commit fc6b177dee33365ccb29fe6d2092223cf8d679f9)
CVE-2012-0028
BugLink: http://bugs.launchpad.net/bugs/927889
Signed-off-by: Andy Whitcroft <apw@canonical.com>
---
 kernel/fork.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)
diff mbox

Patch

diff --git a/kernel/fork.c b/kernel/fork.c
index 3106adb..5b3e5e2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -461,11 +461,15 @@  void mm_release(struct task_struct *tsk, struct mm_struct *mm)
 
 	/* Get rid of any futexes when releasing the mm */
 #ifdef CONFIG_FUTEX
-	if (unlikely(tsk->robust_list))
+	if (unlikely(tsk->robust_list)) {
 		exit_robust_list(tsk);
+		tsk->robust_list = NULL;
+	}
 #ifdef CONFIG_COMPAT
-	if (unlikely(tsk->compat_robust_list))
+	if (unlikely(tsk->compat_robust_list)) {
 		compat_exit_robust_list(tsk);
+		tsk->compat_robust_list = NULL;
+	}
 #endif
 #endif