From: Ben Hutchings <ben@decadent.org.uk>
To: Jiri Slaby <jslaby@suse.cz>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org, Willy Tarreau <w@1wt.eu>
Subject: Re: [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read
Date: Tue, 07 Jun 2016 15:42:45 +0100 [thread overview]
Message-ID: <1465310565.3529.25.camel@decadent.org.uk> (raw)
In-Reply-To: <094a36ed-163a-8ced-afd2-85bb74d21f4f@suse.cz>
[-- Attachment #1: Type: text/plain, Size: 1542 bytes --]
On Tue, 2016-06-07 at 15:50 +0200, Jiri Slaby wrote:
> On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote:
> > 3.14-stable review patch. If anyone has any objections, please let
> > me know.
> >
> > ------------------
> >
> > From: Ben Hutchings <ben@decadent.org.uk>
> >
> > commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
>
> This is not a SHA of an upstream commit ;).
Indeed, that's from the stable/linux-3.2.y branch. There is no
upstream commit since the bug was never introduced there.
Ben.
> > Quoting the RHEL advisory:
> >
> > > It was found that the fix for CVE-2015-1805 incorrectly kept
> > > buffer
> > > offset and buffer length in sync on a failed atomic read,
> > > potentially
> > > resulting in a pipe buffer state corruption. A local,
> > > unprivileged user
> > > could use this flaw to crash the system or leak kernel memory to
> > > user
> > > space. (CVE-2016-0774, Moderate)
> >
> > The same flawed fix was applied to stable branches from 2.6.32.y to
> > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
> > We need to give pipe_iov_copy_to_user() a separate offset variable
> > and only update the buffer offset if it succeeds.
> >
> > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
> > Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
> > Cc: Willy Tarreau <w@1wt.eu>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> thanks,
--
Ben Hutchings
When in doubt, use brute force. - Ken Thompson
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 819 bytes --]
next prev parent reply other threads:[~2016-06-07 14:42 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-05 21:40 [PATCH 3.14 00/23] 3.14.72-stable review Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 01/23] MIPS: math-emu: Fix jalr emulation when rd == $0 Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 02/23] MIPS: Fix siginfo.h to use strict posix types Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 03/23] MIPS: ath79: make bootconsole wait for both THRE and TEMT Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 04/23] Input: uinput - handle compat ioctl for UI_SET_PHYS Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 05/23] ath5k: Change led pin configuration for compaq c700 laptop Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 06/23] aacraid: Relinquish CPU during timeout wait Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 07/23] aacraid: Fix for aac_command_thread hang Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 08/23] cpuidle: Indicate when a device has been unregistered Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 09/23] PCI: Disable all BAR sizing for devices with non-compliant BARs Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 10/23] rtlwifi: Fix logic error in enter/exit power-save mode Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read Greg Kroah-Hartman
2016-06-07 13:50 ` Jiri Slaby
2016-06-07 14:42 ` Ben Hutchings [this message]
2016-06-05 21:40 ` [PATCH 3.14 12/23] powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 13/23] xen/events: Dont move disabled irqs Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 15/23] drm/gma500: Fix possible out of bounds read Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 16/23] drm/fb_helper: Fix references to dev->mode_config.num_connector Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 17/23] ext4: fix hang when processing corrupted orphaned inode list Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 18/23] ext4: address UBSAN warning in mb_find_order_for_block() Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 19/23] ext4: silence UBSAN in ext4_mb_init() Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 21/23] xfs: xfs_iflush_cluster fails to abort on error Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 22/23] xfs: fix inode validity check in xfs_iflush_cluster Greg Kroah-Hartman
2016-06-05 21:40 ` [PATCH 3.14 23/23] xfs: skip stale inodes " Greg Kroah-Hartman
2016-06-06 17:26 ` [PATCH 3.14 00/23] 3.14.72-stable review Shuah Khan
2016-06-08 0:21 ` Greg Kroah-Hartman
2016-06-07 3:49 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1465310565.3529.25.camel@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=jslaby@suse.cz \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox