Prevent overflow by strengthen input validation in kernel-futex CVE-2018-6927

Tracked by Jolla

asked 2018-06-26 07:37:16 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2018-06-26 07:37:16 +0300

lpr gravatar image

The futex_requeue function in kernel/futex.c in the Linux kernel before 4.14.15 might allow attackers to cause a denial of service (integer overflow) or possibly have unspecified other impact by triggering a negative wake or requeue value. CVSS Score: 7.8HIGH local

Kernel-3.2 patch is available.

File affected: kernel-adaptation-sbj-3.4.108.20171107.1/kernel/futex.c lines 1378-1384

So the whole patch should look like:

@@ -1378,6 +1378,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
struct plist_head *head1;
struct futex_q *this, *next;

 +  if (nr_wake < 0 || nr_requeue < 0)
 +      return -EINVAL;
 +
if (requeue_pi) {
    /*
     * Requeue PI only works on two distinct uaddrs. This
edit retag flag offensive close delete

Comments

https://source.android.com/security/bulletin/2018-07-01 : A-76106267 Elevation_of_Privilege / Severity: High

lpr ( 2018-07-03 22:06:01 +0300 )edit