kernel/SOURCES/1754-eventpoll-fix-integer-overflow-in-ep-loop-check-proc.patch
Andrew Lukoshko 2042c1b105 Recreate RHEL 5.14.0-687.23.1 from CS9/CS10/upstream backports
- Drop AlmaLinux ahead-of-RHEL eventpoll CVE-2026-46242 fix (1712), superseded
  by the RHEL eventpoll series in 687.23.1
- Temporarily drop the rtmutex remove_waiter() fixes (1736, 1738)
- Add RHEL 687.23.1 backports recreated from CS10/upstream (1739-1755)
2026-07-08 15:20:58 +00:00

58 lines
2.2 KiB
Diff

From 2eb0a1e08ebad5be00433093449abf025450ca6d Mon Sep 17 00:00:00 2001
From: Ian Kent <ikent@redhat.com>
Date: Wed, 17 Jun 2026 12:08:43 +0800
Subject: [PATCH] eventpoll: Fix integer overflow in ep_loop_check_proc()
JIRA: https://redhat.atlassian.net/browse/RHEL-180777
Upstream status: Linus
commit fdcfce93073d990ed4b71752e31ad1c1d6e9d58b
Author: Jann Horn <jannh@google.com>
Date: Mon Feb 23 20:59:33 2026 +0100
eventpoll: Fix integer overflow in ep_loop_check_proc()
If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`,
an integer overflow will occur in the calling ep_loop_check_proc() at
`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
breaking the recursion depth check.
Fix it by using a different placeholder value that can't lead to an
overflow.
Reported-by: Guenter Roeck <linux@roeck-us.net>
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Ian Kent <ikent@redhat.com>
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
index 5228ff9c8742..cb21dfe9ee0a 100644
--- a/fs/eventpoll.c
+++ b/fs/eventpoll.c
@@ -2130,7 +2130,8 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,
* @ep: the &struct eventpoll to be currently checked.
* @depth: Current depth of the path being checked.
*
- * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
+ * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found
+ * a loop or went too deep.
*/
static int ep_loop_check_proc(struct eventpoll *ep, int depth)
{
@@ -2149,7 +2150,7 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
struct eventpoll *ep_tovisit;
ep_tovisit = epi->ffd.file->private_data;
if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
- result = INT_MAX;
+ result = EP_MAX_NESTS+1;
else
result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
if (result > EP_MAX_NESTS)
--
2.50.1 (Apple Git-155)