UPSTREAM: futex: Forbid uaddr == uaddr2 in futex_requeue(..., requeue_pi=1)

If uaddr == uaddr2, then we have broken the rule of only requeueing
from a non-pi futex to a pi futex with this call. If we attempt this,
then dangling pointers may be left for rt_waiter resulting in an
exploitable condition.

This change brings futex_requeue() into line with
futex_wait_requeue_pi() which performs the same check as per commit
6f7b0a2a5 (futex: Forbid uaddr == uaddr2 in futex_wait_requeue_pi())

[ tglx: Compare the resulting keys as well, as uaddrs might be
  	different depending on the mapping ]

Fixes CVE-2014-3153.

Reported-by: Pinkie Pie
Signed-off-by: Will Drewry <wad@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

BUG=chromium:377392
TEST=nyan build & boot

Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/202664
Reviewed-by: Will Drewry <wad@chromium.org>

(cherry picked from ToT commit 04bee4e6d1d6eeb6523eb7c0981c00edf2b4af14)
Signed-off-by: Kees Cook <keescook@chromium.org>

Change-Id: Ic47e80285441a3c275a71e2e41b3f17f59690c68
Reviewed-on: https://chromium-review.googlesource.com/202930
Tested-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Will Drewry <wad@chromium.org>
Commit-Queue: Kees Cook <keescook@chromium.org>
1 file changed