Ack: [patch][Lucid] UBUNTU: SAUCE: (no-up) Fix regression introduced by patch, for CVE-2014-3153

Brad Figg brad.figg at canonical.com
Fri Jun 6 17:07:12 UTC 2014 

On 06/06/2014 10:01 AM, John Johansen wrote:
> From 0695328167baa4241b1f17b4d0d0a38c7b06981e Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Fri, 6 Jun 2014 17:41:09 +0100
> Subject: [PATCH] UBUNTU: SAUCE: (no-up) Fix regression introduced by patch
>  for CVE-2014-3153
> 
> Phil Turnbull reported a problem with the Lucid (2.6.32) backport of
>   futex: Always cleanup owner tid in unlock_pi
>   commit: 8e4e453d548e3c24e9070eda23c52f210951b921
> 
> In patches-2.6.32.tgz:patches/0003-futex-Always-cleanup-owner-tid-in-unlock_pi.patch
> there is this change (ignoring whitespace changes):
> 
>         curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
> -
> -               if (curval == -EFAULT)
> +       if (curval)
>                 ret = -EFAULT;
> 
> which seems to change the behaviour of the function.
> 
> The purpose of the return value of cmpxchg_futex_value_locked changed in
> 
> 37a9d912b24f96a0591 "futex: Sanitize cmpxchg_futex_value_locked API"
> 
> which is not included in 2.6.32. This patch changes the return value to a
> status code, but in 2.6.32 the return value is the value of the futex or
> -EFAULT. With this backported patch, any futex with a non-zero value will
> return -EFAULT.
> 
> BugLink: http://bugs.launchpad.net/bugs/1327300
> 
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  kernel/futex.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/kernel/futex.c b/kernel/futex.c
> index ae85d66..cd50a44 100644
> --- a/kernel/futex.c
> +++ b/kernel/futex.c
> @@ -932,7 +932,7 @@ static int wake_futex_pi(u32 __user *uaddr, u32 uval, struct futex_q *this)
>  	newval = FUTEX_WAITERS | task_pid_vnr(new_owner);
>  
>  	curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
> -	if (curval)
> +	if (curval == -EFAULT)
>  		ret = -EFAULT;
>  	else if (curval != uval)
>  		ret = -EINVAL;
> 


-- 
Brad Figg brad.figg at canonical.com http://www.canonical.com

More information about the kernel-team mailing list