Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752239AbdCCSYf (ORCPT ); Fri, 3 Mar 2017 13:24:35 -0500 Received: from mx2.suse.de ([195.135.220.15]:54141 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751922AbdCCSXr (ORCPT ); Fri, 3 Mar 2017 13:23:47 -0500 From: Jiri Slaby To: akpm@linux-foundation.org Cc: linux-kernel@vger.kernel.org, Jiri Slaby Subject: [PATCH 2/3] futex: fix decoding of operation Date: Fri, 3 Mar 2017 13:27:11 +0100 Message-Id: <20170303122712.13353-2-jslaby@suse.cz> X-Mailer: git-send-email 2.12.0 In-Reply-To: <20170303122712.13353-1-jslaby@suse.cz> References: <20170303122712.13353-1-jslaby@suse.cz> Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1509 Lines: 44 encoded_op uses int as type which results in pretty weird behaviour. E.g. if encoded_op contains oparg 0xfff, it currently results in oparg being -1. Switch encoded_op to 'unsigned int' which is correct given it is a bit mask anyway. And perform upper bound checking on oparg to inform users about the failure. Finally, avoid int overflows using unsigned shift on oparg. Note that given we use -fno-strict-overflow, this is not a fix as there is no problem to fix in the first place. Signed-off-by: Jiri Slaby --- kernel/futex.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel/futex.c b/kernel/futex.c index c5ff9850952f..c09424406560 100644 --- a/kernel/futex.c +++ b/kernel/futex.c @@ -1457,7 +1457,7 @@ futex_wake(u32 __user *uaddr, unsigned int flags, int nr_wake, u32 bitset) return ret; } -static int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) +static int futex_atomic_op_inuser(unsigned int encoded_op, u32 __user *uaddr) { int op = (encoded_op >> 28) & 7; int cmp = (encoded_op >> 24) & 15; @@ -1465,8 +1465,11 @@ static int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr) int cmparg = (encoded_op << 20) >> 20; int oldval, ret; - if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) - oparg = 1 << oparg; + if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28)) { + if (oparg >= 32) + return -EINVAL; + oparg = 1U << oparg; + } if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32))) return -EFAULT; -- 2.12.0