From: Jiri Slaby <jslaby@suse.cz>
To: Ben Hutchings <ben@decadent.org.uk>, stable@vger.kernel.org
Subject: Re: [PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read
Date: Mon, 15 Feb 2016 16:12:04 +0100 [thread overview]
Message-ID: <56C1EAC4.8070104@suse.cz> (raw)
In-Reply-To: <20160213184225.GA5231@decadent.org.uk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 02/13/2016, 07:42 PM, Ben Hutchings wrote:
> Quoting the RHEL advisory:
>
>> It was found that the fix for CVE-2015-1805 incorrectly kept
>> buffer offset and buffer length in sync on a failed atomic read,
>> potentially resulting in a pipe buffer state corruption. A local,
>> unprivileged user could use this flaw to crash the system or leak
>> kernel memory to user space. (CVE-2016-0774, Moderate)
>
> The same flawed fix was applied to stable branches from 2.6.32.y
> to 3.14.y inclusive, and I was able to reproduce the issue on
> 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset
> variable and only update the buffer offset if it succeeds.
>
> References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Thanks, now applied to 3.12.
> --- a/fs/pipe.c +++ b/fs/pipe.c @@ -395,6 +395,7 @@
> pipe_read(struct kiocb *iocb, const stru void *addr; size_t chars =
> buf->len, remaining; int error, atomic; + int offset;
>
> if (chars > total_len) chars = total_len; @@ -408,9 +409,10 @@
> pipe_read(struct kiocb *iocb, const stru
>
> atomic = !iov_fault_in_pages_write(iov, chars); remaining = chars;
> + offset = buf->offset; redo: addr = ops->map(pipe, buf,
> atomic); - error = pipe_iov_copy_to_user(iov, addr,
> &buf->offset, + error = pipe_iov_copy_to_user(iov, addr,
> &offset, &remaining, atomic); ops->unmap(pipe, buf, addr); if
> (unlikely(error)) { @@ -426,6 +428,7 @@ redo: break; } ret +=
> chars; + buf->offset += chars; buf->len -= chars;
>
> /* Was it a packet buffer? Clean up and exit */
>
- --
js
suse labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJWwerBAAoJEL0lsQQGtHBJOiUP+we7/prNLum9mMEqxNvzswTn
6S+s70j8jDqD7q0oJ/M1iNGPQXGdO14khRCuJ2akTWHcUEaMVcCLZBchBQ7zoFlO
+5KpTugXOU8cm8b/UkoniU8GRtB61JwFPaYQWNBueLR55Cox72xWmJ4JfL863/zs
yz9OgzNrlrflAO2xplkXPCcXwDrgbFRiG9uNJ3rwvc6Y0+EPjA8YKyOXG7H/DZN1
blLxrRkWxuPXknf3OWADIUend3nYE5ehovxCl7ftKfJHbNSw3y1VDOgeC0fdbvNV
23fj9Ae8Gk/UsdxFSaVBfMvl6+D4349hpYPY9qKa4Ja4V72oQp0PCeXXpqWlxTWl
XGIt7LUUUf8TbHG76Xh/udhetPw76E36qfAX9R82Jv7UYQrsI7gDPMjvEFKrBuhG
SoajzN/h93gNzVxoF5DNYtEvIogAL4oTcJBM8FRAHoEqTR1F7HgBdxztOJRfBYWX
MPxoFQP/cA8DPaWskgHIkFp+3yvX4jZUvksNN+R4tNihqR0x4+/1NvTFMnIe25na
q1TbYH2qDZHg0zFjBEHwZMeGPBW3tdGioPwdibLcKX9zJ2WUJ6aG98/dJ3+mJ52C
6ynd7dueFSVGxafJKLePFuCdPEcj3UXPIBYvjMBzzN8Hpo/F5gv2+s5Nww+MOsme
ghhdNKiiK6qKOZkljyR2
=cXOd
-----END PGP SIGNATURE-----
prev parent reply other threads:[~2016-02-15 15:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-13 18:42 [PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read Ben Hutchings
2016-02-14 6:47 ` Willy Tarreau
2016-02-15 15:12 ` Jiri Slaby [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56C1EAC4.8070104@suse.cz \
--to=jslaby@suse.cz \
--cc=ben@decadent.org.uk \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.