Re: [PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Feb 13, 2016 at 06:42:26PM +0000, Ben Hutchings wrote:
> Quoting the RHEL advisory:
> 
> > It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> > offset and buffer length in sync on a failed atomic read, potentially
> > resulting in a pipe buffer state corruption. A local, unprivileged user
> > could use this flaw to crash the system or leak kernel memory to user
> > space. (CVE-2016-0774, Moderate)
> 
> The same flawed fix was applied to stable branches from 2.6.32.y to
> 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.  
> We need to give pipe_iov_copy_to_user() a separate offset variable
> and only update the buffer offset if it succeeds.

Queued for last 2.6.32, thanks Ben!
Willy

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]