[PATCH] futex: Prevent overflow by strengthen input validation

From: Li Jinyue
Date: Thu Dec 14 2017 - 04:05:30 EST


UBSAN reports signed integer overflow in kernel/futex.c
Test log as follows:
UBSAN: Undefined behaviour in kernel/futex.c:2041:18
signed integer overflow:
0 - -2147483648 cannot be represented in type 'int'

To prevent overflow, we don't allow nr_wake and nr_requeue to accept
a negative entropy value.

Signed-off-by: Li Jinyue <lijinyue@xxxxxxxxxx>
---
kernel/futex.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/kernel/futex.c b/kernel/futex.c
index 57d0b36..0abfa09 100644
--- a/kernel/futex.c
+++ b/kernel/futex.c
@@ -1878,6 +1878,9 @@ static int futex_requeue(u32 __user *uaddr1, unsigned int flags,
struct futex_q *this, *next;
DEFINE_WAKE_Q(wake_q);

+ if (nr_wake < 0 || nr_requeue < 0)
+ return -EINVAL;
+
/*
* When PI not supported: return -ENOSYS if requeue_pi is true,
* consequently the compiler knows requeue_pi is always false past
--
1.6.0.2