futex: Validate atomic acquisition in futex_lock_pi_atomic()

We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart <dvhart@linux.intel.com> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

futex: Validate atomic acquisition in futex_lock_pi_atomic()
We need to protect the atomic acquisition in the kernel against rogue user space which sets the user space futex to 0, so the kernel side acquisition succeeds while there is existing state in the kernel associated to the real owner. Verify whether the futex has waiters associated with kernel state. If it has, return -EINVAL. The state is corrupted already, so no point in cleaning it up. Subsequent calls will fail as well. Not our problem. [ tglx: Use futex_top_waiter() and explain why we do not need to try restoring the already corrupted user space state. ] Signed-off-by: Darren Hart <dvhart@linux.intel.com> Cc: Kees Cook <keescook@chromium.org> Cc: Will Drewry <wad@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Thomas Gleixner · Linus Torvalds · Eric Lee · Eric Lee · Eric Lee · Eric Lee
1 parent e9c243a5a6
Showing 1 changed file with 11 additions and 3 deletions Side-by-side Diff
kernel/futex.c
@@ -910,10 +910,18 @@
 		return -EDEADLK;
  
 	/*
-	 * Surprise - we got the lock. Just return to userspace:
+	 * Surprise - we got the lock, but we do not trust user space at all.
 	 */
-	if (unlikely(!curval))
-		return 1;
+	if (unlikely(!curval)) {
+		/*
+		 * We verify whether there is kernel state for this
+		 * futex. If not, we can safely assume, that the 0 ->
+		 * TID transition is correct. If state exists, we do
+		 * not bother to fixup the user space state as it was
+		 * corrupted already.
+		 */
+		return futex_top_waiter(hb, key) ? -EINVAL : 1;
+	}
  
 	uval = curval;
...	...	@@ -910,10 +910,18 @@
910	910	return -EDEADLK;
911	911
912	912	/*
913		- * Surprise - we got the lock. Just return to userspace:
	913	+ * Surprise - we got the lock, but we do not trust user space at all.
914	914	*/
915		- if (unlikely(!curval))
916		- return 1;
	915	+ if (unlikely(!curval)) {
	916	+ /*
	917	+ * We verify whether there is kernel state for this
	918	+ * futex. If not, we can safely assume, that the 0 ->
	919	+ * TID transition is correct. If state exists, we do
	920	+ * not bother to fixup the user space state as it was
	921	+ * corrupted already.
	922	+ */
	923	+ return futex_top_waiter(hb, key) ? -EINVAL : 1;
	924	+ }
917	925
918	926	uval = curval;
919	927