[CVE artful/linux trusty/linux] CVE-2018-6927 -- futex dos

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[CVE artful/linux trusty/linux] CVE-2018-6927 -- futex dos

Andy Whitcroft-3
CVE-2018-6927
        It was discovered that an integer overflow error existed
        in the futex implementation in the Linux kernel. A local
        attacker could use this to cause a denial of service
        (system crash).

Simple backports of the upstream fix follow this email.  Patches are
provided for artful and trusty.  Other series have already recieved this
via upstream or stable.

Proposing for SRU to artful/linux and trusty/linux.

-apw

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[artful/master-next 1/1] futex: Prevent overflow by strengthen input validation

Andy Whitcroft-3
From: Li Jinyue <[hidden email]>

UBSAN reports signed integer overflow in kernel/futex.c:

 UBSAN: Undefined behaviour in kernel/futex.c:2041:18
 signed integer overflow:
 0 - -2147483648 cannot be represented in type 'int'

Add a sanity check to catch negative values of nr_wake and nr_requeue.

Signed-off-by: Li Jinyue <[hidden email]>
Signed-off-by: Thomas Gleixner <[hidden email]>
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@...

(backported from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a)
CVE-2018-6927
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 kernel/futex.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/futex.c b/kernel/futex.c
index b5270cfcfd8c..a32ff9a10a9f 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1866,6 +1866,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
  struct futex_q *this, *next;
  DEFINE_WAKE_Q(wake_q);
 
+ if (nr_wake < 0 || nr_requeue < 0)
+ return -EINVAL;
+
  if (requeue_pi) {
  /*
  * Requeue PI only works on two distinct uaddrs. This
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[trusty/master-next 1/1] futex: Prevent overflow by strengthen input validation

Andy Whitcroft-3
In reply to this post by Andy Whitcroft-3
From: Li Jinyue <[hidden email]>

UBSAN reports signed integer overflow in kernel/futex.c:

 UBSAN: Undefined behaviour in kernel/futex.c:2041:18
 signed integer overflow:
 0 - -2147483648 cannot be represented in type 'int'

Add a sanity check to catch negative values of nr_wake and nr_requeue.

Signed-off-by: Li Jinyue <[hidden email]>
Signed-off-by: Thomas Gleixner <[hidden email]>
Cc: [hidden email]
Cc: [hidden email]
Cc: [hidden email]
Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@...

(backported from commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a)
CVE-2018-6927
Signed-off-by: Andy Whitcroft <[hidden email]>
---
 kernel/futex.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/futex.c b/kernel/futex.c
index af6bdd842e06..26fe00d4b57f 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1385,6 +1385,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
  struct plist_head *head1;
  struct futex_q *this, *next;
 
+ if (nr_wake < 0 || nr_requeue < 0)
+ return -EINVAL;
+
  if (requeue_pi) {
  /*
  * Requeue PI only works on two distinct uaddrs. This
--
2.17.0


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE artful/linux trusty/linux] CVE-2018-6927 -- futex dos

Stefan Bader-2
In reply to this post by Andy Whitcroft-3
On 01.06.2018 02:06, Andy Whitcroft wrote:

> CVE-2018-6927
> It was discovered that an integer overflow error existed
> in the futex implementation in the Linux kernel. A local
> attacker could use this to cause a denial of service
> (system crash).
>
> Simple backports of the upstream fix follow this email.  Patches are
> provided for artful and trusty.  Other series have already recieved this
> via upstream or stable.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>
Acked-by: Stefan Bader <[hidden email]>



--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE artful/linux trusty/linux] CVE-2018-6927 -- futex dos

Kleber Souza
In reply to this post by Andy Whitcroft-3
On 06/01/18 02:06, Andy Whitcroft wrote:

> CVE-2018-6927
> It was discovered that an integer overflow error existed
> in the futex implementation in the Linux kernel. A local
> attacker could use this to cause a denial of service
> (system crash).
>
> Simple backports of the upstream fix follow this email.  Patches are
> provided for artful and trusty.  Other series have already recieved this
> via upstream or stable.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [CVE artful/linux trusty/linux] CVE-2018-6927 -- futex dos

Khaled Elmously
In reply to this post by Andy Whitcroft-3
Applied to A and T

On 2018-06-01 10:06:10 , Andy Whitcroft wrote:

> CVE-2018-6927
> It was discovered that an integer overflow error existed
> in the futex implementation in the Linux kernel. A local
> attacker could use this to cause a denial of service
> (system crash).
>
> Simple backports of the upstream fix follow this email.  Patches are
> provided for artful and trusty.  Other series have already recieved this
> via upstream or stable.
>
> Proposing for SRU to artful/linux and trusty/linux.
>
> -apw
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team