- Drop AlmaLinux ahead-of-RHEL eventpoll CVE-2026-46242 fix (1712), superseded by the RHEL eventpoll series in 687.23.1 - Temporarily drop the rtmutex remove_waiter() fixes (1736, 1738) - Add RHEL 687.23.1 backports recreated from CS10/upstream (1739-1755)
58 lines
2.2 KiB
Diff
58 lines
2.2 KiB
Diff
From 2eb0a1e08ebad5be00433093449abf025450ca6d Mon Sep 17 00:00:00 2001
|
|
From: Ian Kent <ikent@redhat.com>
|
|
Date: Wed, 17 Jun 2026 12:08:43 +0800
|
|
Subject: [PATCH] eventpoll: Fix integer overflow in ep_loop_check_proc()
|
|
|
|
JIRA: https://redhat.atlassian.net/browse/RHEL-180777
|
|
Upstream status: Linus
|
|
|
|
commit fdcfce93073d990ed4b71752e31ad1c1d6e9d58b
|
|
Author: Jann Horn <jannh@google.com>
|
|
Date: Mon Feb 23 20:59:33 2026 +0100
|
|
|
|
eventpoll: Fix integer overflow in ep_loop_check_proc()
|
|
|
|
If a recursive call to ep_loop_check_proc() hits the `result = INT_MAX`,
|
|
an integer overflow will occur in the calling ep_loop_check_proc() at
|
|
`result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1)`,
|
|
breaking the recursion depth check.
|
|
|
|
Fix it by using a different placeholder value that can't lead to an
|
|
overflow.
|
|
|
|
Reported-by: Guenter Roeck <linux@roeck-us.net>
|
|
Fixes: f2e467a48287 ("eventpoll: Fix semi-unbounded recursion")
|
|
Cc: stable@vger.kernel.org
|
|
Signed-off-by: Jann Horn <jannh@google.com>
|
|
Link: https://patch.msgid.link/20260223-epoll-int-overflow-v1-1-452f35132224@google.com
|
|
Signed-off-by: Christian Brauner <brauner@kernel.org>
|
|
|
|
Signed-off-by: Ian Kent <ikent@redhat.com>
|
|
|
|
diff --git a/fs/eventpoll.c b/fs/eventpoll.c
|
|
index 5228ff9c8742..cb21dfe9ee0a 100644
|
|
--- a/fs/eventpoll.c
|
|
+++ b/fs/eventpoll.c
|
|
@@ -2130,7 +2130,8 @@ static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events,
|
|
* @ep: the &struct eventpoll to be currently checked.
|
|
* @depth: Current depth of the path being checked.
|
|
*
|
|
- * Return: depth of the subtree, or INT_MAX if we found a loop or went too deep.
|
|
+ * Return: depth of the subtree, or a value bigger than EP_MAX_NESTS if we found
|
|
+ * a loop or went too deep.
|
|
*/
|
|
static int ep_loop_check_proc(struct eventpoll *ep, int depth)
|
|
{
|
|
@@ -2149,7 +2150,7 @@ static int ep_loop_check_proc(struct eventpoll *ep, int depth)
|
|
struct eventpoll *ep_tovisit;
|
|
ep_tovisit = epi->ffd.file->private_data;
|
|
if (ep_tovisit == inserting_into || depth > EP_MAX_NESTS)
|
|
- result = INT_MAX;
|
|
+ result = EP_MAX_NESTS+1;
|
|
else
|
|
result = max(result, ep_loop_check_proc(ep_tovisit, depth + 1) + 1);
|
|
if (result > EP_MAX_NESTS)
|
|
--
|
|
2.50.1 (Apple Git-155)
|
|
|