User: Password:
Subscribe / Log in / New account

[03/93] futex: Handle user space corruption gracefully

From:  Greg KH <>
Subject:  [03/93] futex: Handle user space corruption gracefully
Date:  Fri, 19 Feb 2010 08:28:56 -0800
Cc:,,,, Thomas Gleixner <>, Darren Hart <>, Peter Zijlstra <>
Archive-link:  Article, Thread

2.6.32-stable review patch.  If anyone has any objections, please let us know.


From: Thomas Gleixner <>

commit 51246bfd189064079c54421507236fd2723b18f3 upstream.

If the owner of a PI futex dies we fix up the pi_state and set
pi_state->owner to NULL. When a malicious or just sloppy programmed
user space application sets the futex value to 0 e.g. by calling
pthread_mutex_init(), then the futex can be acquired again. A new
waiter manages to enqueue itself on the pi_state w/o damage, but on
unlock the kernel dereferences pi_state->owner and oopses.

Prevent this by checking pi_state->owner in the unlock path. If
pi_state->owner is not current we know that user space manipulated the
futex value. Ignore the mess and return -EINVAL.

This catches the above case and also the case where a task hijacks the
futex by setting the tid value and then tries to unlock it.

Reported-by: Jermome Marchand <>
Signed-off-by: Thomas Gleixner <>
Acked-by: Darren Hart <>
Acked-by: Peter Zijlstra <>
Signed-off-by: Greg Kroah-Hartman <>

 kernel/futex.c |    7 +++++++
 1 file changed, 7 insertions(+)

--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -758,6 +758,13 @@ static int wake_futex_pi(u32 __user *uad
 	if (!pi_state)
 		return -EINVAL;
+	/*
+	 * If current does not own the pi_state then the futex is
+	 * inconsistent and user space fiddled with the futex value.
+	 */
+	if (pi_state->owner != current)
+		return -EINVAL;
 	new_owner = rt_mutex_next_owner(&pi_state->pi_mutex);

(Log in to post comments)

Copyright © 2010, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds