On Tue, 2016-06-07 at 15:50 +0200, Jiri Slaby wrote: > On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote: > > 3.14-stable review patch. If anyone has any objections, please let > > me know. > > > > ------------------ > > > > From: Ben Hutchings <ben@xxxxxxxxxxxxxxx> > > > > commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream. > > This is not a SHA of an upstream commit ;). Indeed, that's from the stable/linux-3.2.y branch. There is no upstream commit since the bug was never introduced there. Ben. > > Quoting the RHEL advisory: > > > > > It was found that the fix for CVE-2015-1805 incorrectly kept > > > buffer > > > offset and buffer length in sync on a failed atomic read, > > > potentially > > > resulting in a pipe buffer state corruption. A local, > > > unprivileged user > > > could use this flaw to crash the system or leak kernel memory to > > > user > > > space. (CVE-2016-0774, Moderate) > > > > The same flawed fix was applied to stable branches from 2.6.32.y to > > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. > > We need to give pipe_iov_copy_to_user() a separate offset variable > > and only update the buffer offset if it succeeds. > > > > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html > > Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx> > > Cc: Willy Tarreau <w@xxxxxx> > > Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> > > thanks, -- Ben Hutchings When in doubt, use brute force. - Ken Thompson
Attachment:
signature.asc
Description: This is a digitally signed message part