Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
futex: Require sys_futex_requeue() to have identical flags
Nicholas reported that his LLM found it was possible to create a UaF
when sys_futex_requeue() is used with different flags. The initial
motivation for allowing different flags was the variable sized futex,
but since that hasn't been merged (yet), simply mandate the flags are
identical, as is the case for the old style sys_futex() requeue
operations.
Fixes: 0f4b5f972216 ("futex: Add sys_futex_requeue()")
Reported-by: Nicholas Carlini <npc@anthropic.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
+8
+8
kernel/futex/syscalls.c
+8
kernel/futex/syscalls.c
···
459
459
if (ret)
460
460
return ret;
461
461
462
+
/*
463
+
* For now mandate both flags are identical, like the sys_futex()
464
+
* interface has. If/when we merge the variable sized futex support,
465
+
* that patch can modify this test to allow a difference in size.
466
+
*/
467
+
if (futexes[0].w.flags != futexes[1].w.flags)
468
+
return -EINVAL;
469
+
462
470
cmpval = futexes[0].w.val;
463
471
464
472
return futex_requeue(u64_to_user_ptr(futexes[0].w.uaddr), futexes[0].w.flags,