** Description changed: - If uaddr == uaddr2, then we have broken the rule of only requeueing from - a non-pi futex to a pi futex with this call. If we attempt this, then - dangling pointers may be left for rt_waiter resulting in an exploitable - condition. + The futex_requeue function in kernel/futex.c in the Linux kernel through + 3.14.5 does not ensure that calls have two different futex addresses, + which allows local users to gain privileges via a crafted FUTEX_REQUEUE + command that facilitates unsafe waiter modification. Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 54a217887a7b658e2650c3feff22756ab80c7339 Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270 Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 e9c243a5a6de0be8e584c604d353412584b592f8
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1326367 Title: exploitable futex vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1326367/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs