-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/13/2016, 07:42 PM, Ben Hutchings wrote: > Quoting the RHEL advisory: > >> It was found that the fix for CVE-2015-1805 incorrectly kept >> buffer offset and buffer length in sync on a failed atomic read, >> potentially resulting in a pipe buffer state corruption. A local, >> unprivileged user could use this flaw to crash the system or leak >> kernel memory to user space. (CVE-2016-0774, Moderate) > > The same flawed fix was applied to stable branches from 2.6.32.y > to 3.14.y inclusive, and I was able to reproduce the issue on > 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset > variable and only update the buffer offset if it succeeds. > > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html > Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> Thanks, now applied to 3.12. > --- a/fs/pipe.c +++ b/fs/pipe.c @@ -395,6 +395,7 @@ > pipe_read(struct kiocb *iocb, const stru void *addr; size_t chars = > buf->len, remaining; int error, atomic; + int offset; > > if (chars > total_len) chars = total_len; @@ -408,9 +409,10 @@ > pipe_read(struct kiocb *iocb, const stru > > atomic = !iov_fault_in_pages_write(iov, chars); remaining = chars; > + offset = buf->offset; redo: addr = ops->map(pipe, buf, > atomic); - error = pipe_iov_copy_to_user(iov, addr, > &buf->offset, + error = pipe_iov_copy_to_user(iov, addr, > &offset, &remaining, atomic); ops->unmap(pipe, buf, addr); if > (unlikely(error)) { @@ -426,6 +428,7 @@ redo: break; } ret += > chars; + buf->offset += chars; buf->len -= chars; > > /* Was it a packet buffer? Clean up and exit */ > - -- js suse labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWwerBAAoJEL0lsQQGtHBJOiUP+we7/prNLum9mMEqxNvzswTn 6S+s70j8jDqD7q0oJ/M1iNGPQXGdO14khRCuJ2akTWHcUEaMVcCLZBchBQ7zoFlO +5KpTugXOU8cm8b/UkoniU8GRtB61JwFPaYQWNBueLR55Cox72xWmJ4JfL863/zs yz9OgzNrlrflAO2xplkXPCcXwDrgbFRiG9uNJ3rwvc6Y0+EPjA8YKyOXG7H/DZN1 blLxrRkWxuPXknf3OWADIUend3nYE5ehovxCl7ftKfJHbNSw3y1VDOgeC0fdbvNV 23fj9Ae8Gk/UsdxFSaVBfMvl6+D4349hpYPY9qKa4Ja4V72oQp0PCeXXpqWlxTWl XGIt7LUUUf8TbHG76Xh/udhetPw76E36qfAX9R82Jv7UYQrsI7gDPMjvEFKrBuhG SoajzN/h93gNzVxoF5DNYtEvIogAL4oTcJBM8FRAHoEqTR1F7HgBdxztOJRfBYWX MPxoFQP/cA8DPaWskgHIkFp+3yvX4jZUvksNN+R4tNihqR0x4+/1NvTFMnIe25na q1TbYH2qDZHg0zFjBEHwZMeGPBW3tdGioPwdibLcKX9zJ2WUJ6aG98/dJ3+mJ52C 6ynd7dueFSVGxafJKLePFuCdPEcj3UXPIBYvjMBzzN8Hpo/F5gv2+s5Nww+MOsme ghhdNKiiK6qKOZkljyR2 =cXOd -----END PGP SIGNATURE----- -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html