encoded_op uses int as type which results in pretty weird behaviour.
E.g. if encoded_op contains oparg 0xfff, it currently results in oparg
being -1.
Switch encoded_op to 'unsigned int' which is correct given it is a bit
mask anyway. And perform upper bound checking on oparg to inform users
about the failure. Finally, avoid int overflows using unsigned shift on
oparg. Note that given we use -fno-strict-overflow, this is not a fix as
there is no problem to fix in the first place.
Signed-off-by: Jiri Slaby <jsl...@suse.cz>
---
kernel/futex.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/kernel/futex.c b/kernel/futex.c
index c5ff9850952f..c09424406560 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1457,7 +1457,7 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int
nr_wake, u32 bitset)
return ret;
}
-static int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
+static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr)
{
int op = (encoded_op >> 28) & 7;
int cmp = (encoded_op >> 24) & 15;
@@ -1465,8 +1465,11 @@ static int futex_atomic_op_inuser(int encoded_op, u32
__user *uaddr)
int cmparg = (encoded_op << 20) >> 20;
int oldval, ret;
- if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
- oparg = 1 << oparg;
+ if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) {
+ if (oparg >= 32)
+ return -EINVAL;
+ oparg = 1U << oparg;
+ }
if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
return -EFAULT;
--
2.12.0
