This is a note to let you know that I've just added the patch titled
pipe: Fix buffer offset after partially failed read
to the 3.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
pipe-fix-buffer-offset-after-partially-failed-read.patch
and it can be found in the queue-3.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Date: Sat, 13 Feb 2016 02:34:52 +0000
Subject: pipe: Fix buffer offset after partially failed read
From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
Quoting the RHEL advisory:
> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)
The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
Cc: Willy Tarreau <w@xxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/pipe.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const stru
void *addr;
size_t chars = buf->len, remaining;
int error, atomic;
+ int offset;
if (chars > total_len)
chars = total_len;
@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const stru
atomic = !iov_fault_in_pages_write(iov, chars);
remaining = chars;
+ offset = buf->offset;
redo:
addr = ops->map(pipe, buf, atomic);
- error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
+ error = pipe_iov_copy_to_user(iov, addr, &offset,
&remaining, atomic);
ops->unmap(pipe, buf, addr);
if (unlikely(error)) {
@@ -432,6 +434,7 @@ redo:
break;
}
ret += chars;
+ buf->offset += chars;
buf->len -= chars;
/* Was it a packet buffer? Clean up and exit */
Patches currently in stable-queue which might be from ben@xxxxxxxxxxxxxxx are
queue-3.14/pipe-fix-buffer-offset-after-partially-failed-read.patch
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html