Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4B7115A0.1090808@kernel.sg>
Date: Tue, 09 Feb 2010 15:58:24 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: oss-security@...ts.openwall.com
CC: "Steven M. Christey" <coley@...us.mitre.org>
Subject: CVE request - kernel: futex: Handle user space corruption gracefully

Description of the issue: "If the owner of a PI futex dies we fix up the 
pi_state and set pi_state->owner to NULL. When a malicious or just 
sloppy programmed user space application sets the futex value to 0 e.g. 
by calling pthread_mutex_init(), then the futex can be acquired again. A 
new waiter manages to enqueue itself on the pi_state w/o damage, but on 
unlock the kernel dereferences pi_state->owner and oopses.

Prevent this by checking pi_state->owner in the unlock path. If 
pi_state->owner is not current we know that user space manipulated the 
futex value. Ignore the mess and return -EINVAL.

This catches the above case and also the case where a task hijacks the 
futex by setting the tid value and then tries to unlock it."

Upstream commit:
http://git.kernel.org/linus/51246bfd189064079c54421507236fd2723b18f3

Note that pi-futex was introduced in:
http://git.kernel.org/linus/c87e2837be82df479a6bae9f155c43516d2feebc

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=563091

Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.