From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from youngberry.canonical.com ([91.189.89.112]:33937 "EHLO youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752596AbbF2Sx2 (ORCPT ); Mon, 29 Jun 2015 14:53:28 -0400 Message-ID: <1435604003.30753.1.camel@fourier> Subject: Re: [PATCH stable] pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic From: Kamal Mostafa To: Ben Hutchings Cc: stable , Seth Jennings , Al Viro Date: Mon, 29 Jun 2015 11:53:23 -0700 In-Reply-To: <1434489811.4279.7.camel@decadent.org.uk> References: <1434489811.4279.7.camel@decadent.org.uk> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: stable-owner@vger.kernel.org List-ID: On Tue, 2015-06-16 at 22:23 +0100, Ben Hutchings wrote: > pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, > the first time atomically and the second time not. The second attempt > needs to continue from the iovec position, pipe buffer offset and > remaining length where the first attempt failed, but currently the > pipe buffer offset and remaining length are reset. This will corrupt > the piped data (possibly also leading to an information leak between > processes) and may also corrupt kernel memory. > > This was fixed upstream by commits f0d1bec9d58d ("new helper: > copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to > copy_page_to_iter()"), but those aren't suitable for stable. > > So 3.14.y and all earlier branches need a different fix. I extracted > the fix made by Seth Jennings for RHEL and have attached versions for > 2.6.32.y and 3.2.y (tested) and 3.14.y (untested, just resolved a > conflict there). One or other of these should work for the other > maintained branches. > > Ben. > Thanks Ben! Applied to 3.13-stable. -Kamal