Re: [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote:
> 3.14-stable review patch.  If anyone has any objections, please let me know.
> 
> ------------------
> 
> From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> 
> commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.

This is not a SHA of an upstream commit ;).

> Quoting the RHEL advisory:
> 
>> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
>> offset and buffer length in sync on a failed atomic read, potentially
>> resulting in a pipe buffer state corruption. A local, unprivileged user
>> could use this flaw to crash the system or leak kernel memory to user
>> space. (CVE-2016-0774, Moderate)
> 
> The same flawed fix was applied to stable branches from 2.6.32.y to
> 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
> We need to give pipe_iov_copy_to_user() a separate offset variable
> and only update the buffer offset if it succeeds.
> 
> References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
> Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> Cc: Willy Tarreau <w@xxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

thanks,
-- 
js
suse labs
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]