From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932156AbcFEVkr (ORCPT ); Sun, 5 Jun 2016 17:40:47 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:42800 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752690AbcFEVkj (ORCPT ); Sun, 5 Jun 2016 17:40:39 -0400 From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Ben Hutchings , Willy Tarreau Subject: [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read Date: Sun, 5 Jun 2016 14:40:11 -0700 Message-Id: <20160605213828.067815770@linuxfoundation.org> X-Mailer: git-send-email 2.8.3 In-Reply-To: <20160605213826.938892115@linuxfoundation.org> References: <20160605213826.938892115@linuxfoundation.org> User-Agent: quilt/0.64 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Ben Hutchings commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream. Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by: Ben Hutchings Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman --- fs/pipe.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) --- a/fs/pipe.c +++ b/fs/pipe.c @@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const stru void *addr; size_t chars = buf->len, remaining; int error, atomic; + int offset; if (chars > total_len) chars = total_len; @@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const stru atomic = !iov_fault_in_pages_write(iov, chars); remaining = chars; + offset = buf->offset; redo: addr = ops->map(pipe, buf, atomic); - error = pipe_iov_copy_to_user(iov, addr, &buf->offset, + error = pipe_iov_copy_to_user(iov, addr, &offset, &remaining, atomic); ops->unmap(pipe, buf, addr); if (unlikely(error)) { @@ -432,6 +434,7 @@ redo: break; } ret += chars; + buf->offset += chars; buf->len -= chars; /* Was it a packet buffer? Clean up and exit */