From patchwork Thu Dec 14 09:04:54 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Li Jinyue X-Patchwork-Id: 121888 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp6548032qgn; Thu, 14 Dec 2017 01:05:30 -0800 (PST) X-Google-Smtp-Source: ACJfBovGnUcYvllZDPxllrWyd/9SRP38ZOpdzkS0YU3fw6uKigTHAGbUCW48q+9da1IQprRWN1in X-Received: by 10.159.195.69 with SMTP id z5mr8948585pln.180.1513242330814; Thu, 14 Dec 2017 01:05:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1513242330; cv=none; d=google.com; s=arc-20160816; b=c/GLryjQp11TVqeDKGqzqvg3/Zew79LmAK71FTRz4xpS6dhraGHSlCrvu5U7ItEa47 idau4CWwyR2ZZnXGhY48WSLxrKFAJrTB4NShUy421qEkscLFYuBAmyrmKd7ppikQuuZT 8Dgsvi6O7pD8xr9ddC2Z9f+PCy09WDDBgz1BlBIwfVm4yD8DY1SNmE/kKi2k14ljHi7Q FdmxNA4V4GXnrBq1jLm5sRJFyw58mnf1auRTEbD2Bn+Q7NVRRIPZPAKLstCG7jaDqxgm 2gd53nGgpcuflRNIijF21KgPkOsiSvVaPrEGy80GkV84KZWTsB8dYWaUeEX30Ps3Xfb6 IYKA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:subject:cc :to:from:arc-authentication-results; bh=mxxsGgrNu1T2QiYbYPQKKdqVYq54+RZhozvJtEcunB4=; b=C6cP6RU5sTCsNCVrhaMAdcTpTuQJHq9WCqCv9ynOAU0TtzYkQqg9ilHLxoMro5eA3r UQOc3FozxPTETu748EACoDi5in4oiesOYyki/lA2vVSycgi3+Jdb00oSRNk52ufpNr3y T8j6sSVP4ufwnlSsCrFHydddTombRAn7aLKQzKNAe8I2l2ep4MwRYdLv6fAFDz1pNmhm Hf6luyl6WvTPTaSi5/jMjhMLVdbn6BG2s2rmSJ76a/3crjXlXuR+8QqxuYkXTRI2sush y4vPx3q4IbLWKmQcQkvDdfbOEXsxp/oXHvAgYjnkJdLiKeU4pRLUtQ+1JJHuBNFYcG8e 9bDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r12si3007070plj.70.2017.12.14.01.05.30; Thu, 14 Dec 2017 01:05:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751341AbdLNJF0 (ORCPT + 20 others); Thu, 14 Dec 2017 04:05:26 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:2289 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1751027AbdLNJFX (ORCPT ); Thu, 14 Dec 2017 04:05:23 -0500 Received: from DGGEMS404-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 7863B74B6980C; Thu, 14 Dec 2017 17:05:09 +0800 (CST) Received: from localhost.localdomain (10.175.101.84) by DGGEMS404-HUB.china.huawei.com (10.3.19.204) with Microsoft SMTP Server id 14.3.361.1; Thu, 14 Dec 2017 17:05:04 +0800 From: Li Jinyue To: , , , CC: , Li Jinyue Subject: [PATCH] futex: Prevent overflow by strengthen input validation Date: Thu, 14 Dec 2017 17:04:54 +0800 Message-ID: <1513242294-31786-1-git-send-email-lijinyue@huawei.com> X-Mailer: git-send-email 1.6.0.2 MIME-Version: 1.0 X-Originating-IP: [10.175.101.84] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org UBSAN reports signed integer overflow in kernel/futex.c Test log as follows: UBSAN: Undefined behaviour in kernel/futex.c:2041:18 signed integer overflow: 0 - -2147483648 cannot be represented in type 'int' To prevent overflow, we don't allow nr_wake and nr_requeue to accept a negative entropy value. Signed-off-by: Li Jinyue --- kernel/futex.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) -- 1.6.0.2 diff --git a/kernel/futex.c b/kernel/futex.c index 57d0b36..0abfa09 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags, struct futex_q *this, *next; DEFINE_WAKE_Q(wake_q); + if (nr_wake < 0 || nr_requeue < 0) + return -EINVAL; + /* * When PI not supported: return -ENOSYS if requeue_pi is true, * consequently the compiler knows requeue_pi is always false past