ASB-2018-07-05_4.4-o-mr1 - kernel/common.git

tag	c28cfbc08afc7b665169285efba2747ca1ce2c64
tagger	Todd Kjos <tkjos@google.com>	Fri Jul 06 15:19:00 2018 -0700
object	aa18f333a1a9dcef343807492bd461da49e2a7d7

https://source.android.com/security/bulletin/2018-07-01
CVE-2018-9422
CVE-2018-9417
CVE-2018-6927
CVE-2018-9416
CVE-2018-9415
CVE-2018-9415
CVE-2018-7995
CVE-2018-1065
CVE-2017-18218
CVE-2017-1000112

Not included:
CVE-2018-5703 : Skipped due to fix rejected upstream

commit	aa18f333a1a9dcef343807492bd461da49e2a7d7	[log] [tgz]
author	Li Jinyue <lijinyue@huawei.com>	Thu Dec 14 17:04:54 2017 +0800
committer	Todd Kjos <tkjos@google.com>	Thu Jul 05 18:10:18 2018 -0700
tree	ba962dc428ffbaafccfd49aa11c54d49ffc22ee9
parent	fd7dab9d41a9255e8809bfd9238c77d029af1a5f [diff]

futex: Prevent overflow by strengthen input validation

commit fbe0e839d1e22d88810f3ee3e2f1479be4c0aa4a upstream.

UBSAN reports signed integer overflow in kernel/futex.c:

 UBSAN: Undefined behaviour in kernel/futex.c:2041:18
 signed integer overflow:
 0 - -2147483648 cannot be represented in type 'int'

Add a sanity check to catch negative values of nr_wake and nr_requeue.

Signed-off-by: Li Jinyue <lijinyue@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: peterz@infradead.org
Cc: dvhart@infradead.org
Link: https://lkml.kernel.org/r/1513242294-31786-1-git-send-email-lijinyue@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

kernel/futex.c[diff]

1 file changed