From: peterz@infradead.org Date: Thu, 21 Sep 2023 10:45:09 +0000 (+0200) Subject: futex: Validate futex value against futex size X-Git-Tag: io_uring-futex-2023-10-30~8^2~9 X-Git-Url: https://git.kernel.dk/?a=commitdiff_plain;h=698eb826383616ce0e817d2384da6413d1439fb6;p=linux-block.git futex: Validate futex value against futex size Ensure the futex value fits in the given futex size. Since this adds a constraint to an existing syscall, it might possibly change behaviour. Currently the value would be truncated to a u32 and any high bits would get silently lost. Signed-off-by: Peter Zijlstra (Intel) Reviewed-by: Thomas Gleixner Link: https://lore.kernel.org/r/20230921105247.828934099@noisy.programming.kicks-ass.net --- diff --git a/kernel/futex/futex.h b/kernel/futex/futex.h index 68fc052dc09b..a3f1fceafcbe 100644 --- a/kernel/futex/futex.h +++ b/kernel/futex/futex.h @@ -85,6 +85,16 @@ static inline bool futex_flags_valid(unsigned int flags) return true; } +static inline bool futex_validate_input(unsigned int flags, u64 val) +{ + int bits = 8 * futex_size(flags); + + if (bits < 64 && (val >> bits)) + return false; + + return true; +} + #ifdef CONFIG_FAIL_FUTEX extern bool should_fail_futex(bool fshared); #else diff --git a/kernel/futex/syscalls.c b/kernel/futex/syscalls.c index 948ac247c1c6..2339f9ccee7f 100644 --- a/kernel/futex/syscalls.c +++ b/kernel/futex/syscalls.c @@ -209,6 +209,9 @@ static int futex_parse_waitv(struct futex_vector *futexv, if (!futex_flags_valid(flags)) return -EINVAL; + if (!futex_validate_input(flags, aux.val)) + return -EINVAL; + futexv[i].w.flags = flags; futexv[i].w.val = aux.val; futexv[i].w.uaddr = aux.uaddr;