From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from out5-smtp.messagingengine.com ([66.111.4.29]:50223 "EHLO out5-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751579AbbFZFjs (ORCPT ); Fri, 26 Jun 2015 01:39:48 -0400 Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id 888A721E14 for ; Fri, 26 Jun 2015 01:39:48 -0400 (EDT) Date: Thu, 25 Jun 2015 21:20:47 -0700 From: Greg KH To: Ben Hutchings Cc: stable , Seth Jennings , Al Viro Subject: Re: [PATCH stable] pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic Message-ID: <20150626042047.GA32451@kroah.com> References: <1434489811.4279.7.camel@decadent.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1434489811.4279.7.camel@decadent.org.uk> Sender: stable-owner@vger.kernel.org List-ID: On Tue, Jun 16, 2015 at 10:23:31PM +0100, Ben Hutchings wrote: > pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, > the first time atomically and the second time not. The second attempt > needs to continue from the iovec position, pipe buffer offset and > remaining length where the first attempt failed, but currently the > pipe buffer offset and remaining length are reset. This will corrupt > the piped data (possibly also leading to an information leak between > processes) and may also corrupt kernel memory. > > This was fixed upstream by commits f0d1bec9d58d ("new helper: > copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to > copy_page_to_iter()"), but those aren't suitable for stable. > > So 3.14.y and all earlier branches need a different fix. I extracted > the fix made by Seth Jennings for RHEL and have attached versions for > 2.6.32.y and 3.2.y (tested) and 3.14.y (untested, just resolved a > conflict there). One or other of these should work for the other > maintained branches. Many thanks for these, now applied to 3.14 and 3.10-stable. greg k-h