On Sat, Feb 13, 2016 at 06:42:26PM +0000, Ben Hutchings wrote: > Quoting the RHEL advisory: > > > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > > offset and buffer length in sync on a failed atomic read, potentially > > resulting in a pipe buffer state corruption. A local, unprivileged user > > could use this flaw to crash the system or leak kernel memory to user > > space. (CVE-2016-0774, Moderate) > > The same flawed fix was applied to stable branches from 2.6.32.y to > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. > We need to give pipe_iov_copy_to_user() a separate offset variable > and only update the buffer offset if it succeeds. Queued for last 2.6.32, thanks Ben! Willy -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html