x86 futex: fix out of bounds shift

8 << 28 needs unsigned to fit, other shifts were done to truncate the input, use a mask instead Change-Id: I81ba41595f4629f1df554e34392116440ff3b641
2018-07-17 18:49:26 +09:00
parent 6f7c428a34
commit bc887aab44
3 changed files with 6 additions and 5 deletions
--- a/arch/x86_64/kernel/include/arch-futex.h
+++ b/arch/x86_64/kernel/include/arch-futex.h
@ -64,12 +64,13 @@ static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
 	return oldval;
 }

-static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
+static inline int futex_atomic_op_inuser(int encoded_op,
+					 int __user *uaddr)
 {
 	int op = (encoded_op >> 28) & 7;
 	int cmp = (encoded_op >> 24) & 15;
-	int oparg = (encoded_op << 8) >> 20;
-	int cmparg = (encoded_op << 20) >> 20;
+	int oparg = (encoded_op & 0x00fff000) >> 12;
+	int cmparg = encoded_op & 0xfff;
 	int oldval = 0, ret, tem;

 	if (encoded_op & (FUTEX_OP_OPARG_SHIFT << 28))
--- a/kernel/include/futex.h
+++ b/kernel/include/futex.h
@ -63,7 +63,7 @@
 #define FUTEX_OP_ANDN		3	/* *(int *)UADDR2 &= ~OPARG; */
 #define FUTEX_OP_XOR		4	/* *(int *)UADDR2 ^= OPARG; */

-#define FUTEX_OP_OPARG_SHIFT	8	/* Use (1 << OPARG) instead of OPARG.  */
+#define FUTEX_OP_OPARG_SHIFT	8U	/* Use (1 << OPARG) instead of OPARG. */

 #define FUTEX_OP_CMP_EQ		0	/* if (oldval == CMPARG) wake */
 #define FUTEX_OP_CMP_NE		1	/* if (oldval != CMPARG) wake */
--- a/kernel/include/lwk/futex.h
+++ b/kernel/include/lwk/futex.h
@ -25,7 +25,7 @@
 #define FUTEX_OP_ANDN		3	/* *(int *)UADDR2 &= ~OPARG; */
 #define FUTEX_OP_XOR		4	/* *(int *)UADDR2 ^= OPARG; */

-#define FUTEX_OP_OPARG_SHIFT	8	/* Use (1 << OPARG) instead of OPARG.  */
+#define FUTEX_OP_OPARG_SHIFT	8U	/* Use (1 << OPARG) instead of OPARG. */

 #define FUTEX_OP_CMP_EQ		0	/* if (oldval == CMPARG) wake */
 #define FUTEX_OP_CMP_NE		1	/* if (oldval != CMPARG) wake */