Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 09 Feb 2010 15:58:24 +0800
From: Eugene Teo <>
CC: "Steven M. Christey" <>
Subject: CVE request - kernel: futex: Handle user space corruption gracefully

Description of the issue: "If the owner of a PI futex dies we fix up the 
pi_state and set pi_state->owner to NULL. When a malicious or just 
sloppy programmed user space application sets the futex value to 0 e.g. 
by calling pthread_mutex_init(), then the futex can be acquired again. A 
new waiter manages to enqueue itself on the pi_state w/o damage, but on 
unlock the kernel dereferences pi_state->owner and oopses.

Prevent this by checking pi_state->owner in the unlock path. If 
pi_state->owner is not current we know that user space manipulated the 
futex value. Ignore the mess and return -EINVAL.

This catches the above case and also the case where a task hijacks the 
futex by setting the tid value and then tries to unlock it."

Upstream commit:

Note that pi-futex was introduced in:


Thanks, Eugene

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.