Commit-ID: 8f3365e34f7519904d78d9fb6dd9e4bae606b9b5 Gitweb: https://git.kernel.org/tip/8f3365e34f7519904d78d9fb6dd9e4bae606b9b5 Author: Peter Zijlstra <pet...@infradead.org> AuthorDate: Wed, 6 Dec 2017 22:40:08 +0100 Committer: Thomas Gleixner <t...@linutronix.de> CommitDate: Thu, 28 Dec 2017 15:19:12 +0100
futex: Sanitize user address in set_robust_list() Passing in unaligned variables messes up cmpxchg on a whole bunch of architectures and causes a in kernel lockup when the robust list is accessed. Also, not respecting the natural alignment of data structures is pretty dumb to begin with. Signed-off-by: Peter Zijlstra (Intel) <pet...@infradead.org> Signed-off-by: Thomas Gleixner <t...@linutronix.de> Cc: dvh...@infradead.org Cc: xiexi...@huawei.com Cc: Cheng Jian <cj.chengj...@huawei.com> Cc: huawei.li...@huawei.com Cc: sta...@vger.kernel.org Link: https://lkml.kernel.org/r/20171206214007.GI3857@worktop --- include/uapi/asm-generic/errno.h | 1 + kernel/futex.c | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/include/uapi/asm-generic/errno.h b/include/uapi/asm-generic/errno.h index cf9c51a..e306ee4 100644 --- a/include/uapi/asm-generic/errno.h +++ b/include/uapi/asm-generic/errno.h @@ -119,5 +119,6 @@ #define ERFKILL 132 /* Operation not possible due to RF-kill */ #define EHWPOISON 133 /* Memory page has hardware error */ +#define EMORON 134 /* User did something particularly silly */ #endif diff --git a/kernel/futex.c b/kernel/futex.c index 57d0b36..4f471aa 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -3262,6 +3262,8 @@ out: SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head, size_t, len) { + unsigned long address = (unsigned long)head; + if (!futex_cmpxchg_enabled) return -ENOSYS; /* @@ -3270,6 +3272,9 @@ SYSCALL_DEFINE2(set_robust_list, struct robust_list_head __user *, head, if (unlikely(len != sizeof(*head))) return -EINVAL; + if (unlikely(address % __alignof__(*head))) + return -EMORON; + current->robust_list = head; return 0;
