From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from wtarreau.pck.nerim.net ([62.212.114.60]:11758 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751288AbcBNGrh (ORCPT ); Sun, 14 Feb 2016 01:47:37 -0500 Date: Sun, 14 Feb 2016 07:47:33 +0100 From: Willy Tarreau To: Ben Hutchings Cc: stable@vger.kernel.org Subject: Re: [PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read Message-ID: <20160214064733.GA28560@1wt.eu> References: <20160213184225.GA5231@decadent.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20160213184225.GA5231@decadent.org.uk> Sender: stable-owner@vger.kernel.org List-ID: On Sat, Feb 13, 2016 at 06:42:26PM +0000, Ben Hutchings wrote: > Quoting the RHEL advisory: > > > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > > offset and buffer length in sync on a failed atomic read, potentially > > resulting in a pipe buffer state corruption. A local, unprivileged user > > could use this flaw to crash the system or leak kernel memory to user > > space. (CVE-2016-0774, Moderate) > > The same flawed fix was applied to stable branches from 2.6.32.y to > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. > We need to give pipe_iov_copy_to_user() a separate offset variable > and only update the buffer offset if it succeeds. Queued for last 2.6.32, thanks Ben! Willy