Re: [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2016-06-07 at 15:50 +0200, Jiri Slaby wrote:
> On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote:
> > 3.14-stable review patch.  If anyone has any objections, please let
> > me know.
> > 
> > ------------------
> > 
> > From: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> > 
> > commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
> 
> This is not a SHA of an upstream commit ;).

Indeed, that's from the stable/linux-3.2.y branch.  There is no
upstream commit since the bug was never introduced there.

Ben.

> > Quoting the RHEL advisory:
> > 
> > > It was found that the fix for CVE-2015-1805 incorrectly kept
> > > buffer
> > > offset and buffer length in sync on a failed atomic read,
> > > potentially
> > > resulting in a pipe buffer state corruption. A local,
> > > unprivileged user
> > > could use this flaw to crash the system or leak kernel memory to
> > > user
> > > space. (CVE-2016-0774, Moderate)
> > 
> > The same flawed fix was applied to stable branches from 2.6.32.y to
> > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
> > We need to give pipe_iov_copy_to_user() a separate offset variable
> > and only update the buffer offset if it succeeds.
> > 
> > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
> > Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
> > Cc: Willy Tarreau <w@xxxxxx>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> 
> thanks,
-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]