On Tue, 2015-06-16 at 22:23 +0100, Ben Hutchings wrote:
> pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
> the first time atomically and the second time not. The second attempt
> needs to continue from the iovec position, pipe buffer offset and
> remaining length where the first attempt failed, but currently the
> pipe buffer offset and remaining length are reset. This will corrupt
> the piped data (possibly also leading to an information leak between
> processes) and may also corrupt kernel memory.
>
> This was fixed upstream by commits f0d1bec9d58d ("new helper:
> copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
> copy_page_to_iter()"), but those aren't suitable for stable.
>
> So 3.14.y and all earlier branches need a different fix. I extracted
> the fix made by Seth Jennings for RHEL and have attached versions for
> 2.6.32.y and 3.2.y (tested) and 3.14.y (untested, just resolved a
> conflict there). One or other of these should work for the other
> maintained branches.
>
> Ben.
>
Thanks Ben! Applied to 3.13-stable.
-Kamal
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html