[hardy CVE 2/2] futex: Nullify robust lists after cleanup

[Andy Whitcroft]

From: Peter Zijlstra <peterz at infradead.org>

The robust list pointers of user space held futexes are kept intact
over an exec() call. When the exec'ed task exits exit_robust_list() is
called with the stale pointer. The risk of corruption is minimal, but
still it is incorrect to keep the pointers valid. Actually glibc
should uninstall the robust list before calling exec() but we have to
deal with it anyway.

Nullify the pointers after [compat_]exit_robust_list() has been
called.

Reported-by: Anirban Sinha <ani at anirban.org>
Signed-off-by: Peter Zijlstra <peterz at infradead.org>
Signed-off-by: Thomas Gleixner <tglx at linutronix.de>
LKML-Reference: <new-submission>
Cc: stable at kernel.org

(cherry picked from commit fc6b177dee33365ccb29fe6d2092223cf8d679f9)
CVE-2012-0028
BugLink: http://bugs.launchpad.net/bugs/927889
Signed-off-by: Andy Whitcroft <apw at canonical.com>
---
 kernel/fork.c |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/kernel/fork.c b/kernel/fork.c
index 3106adb..5b3e5e2 100644
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -461,11 +461,15 @@ void mm_release(struct task_struct *tsk, struct mm_struct *mm)
 
 	/* Get rid of any futexes when releasing the mm */
 #ifdef CONFIG_FUTEX
-	if (unlikely(tsk->robust_list))
+	if (unlikely(tsk->robust_list)) {
 		exit_robust_list(tsk);
+		tsk->robust_list = NULL;
+	}
 #ifdef CONFIG_COMPAT
-	if (unlikely(tsk->compat_robust_list))
+	if (unlikely(tsk->compat_robust_list)) {
 		compat_exit_robust_list(tsk);
+		tsk->compat_robust_list = NULL;
+	}
 #endif
 #endif
 
-- 
1.7.9