encoded_op uses int as type which results in pretty weird behaviour. E.g. if encoded_op contains oparg 0xfff, it currently results in oparg being -1.
Switch encoded_op to 'unsigned int' which is correct given it is a bit mask anyway. And perform upper bound checking on oparg to inform users about the failure. Finally, avoid int overflows using unsigned shift on oparg. Note that given we use -fno-strict-overflow, this is not a fix as there is no problem to fix in the first place. Signed-off-by: Jiri Slaby <jsl...@suse.cz> --- kernel/futex.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/futex.c b/kernel/futex.c index c5ff9850952f..c09424406560 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -1457,7 +1457,7 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset) return ret; } -static int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) +static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) { int op = (encoded_op >> 28) & 7; int cmp = (encoded_op >> 24) & 15; @@ -1465,8 +1465,11 @@ static int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) int cmparg = (encoded_op << 20) >> 20; int oldval, ret; - if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) - oparg = 1 << oparg; + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { + if (oparg >= 32) + return -EINVAL; + oparg = 1U << oparg; + } if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) return -EFAULT; -- 2.12.0