[PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read

[PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 1594 bytes --]

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.  
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -395,6 +395,7 @@ pipe_read(struct kiocb *iocb, const stru
 			void *addr;
 			size_t chars = buf->len, remaining;
 			int error, atomic;
+			int offset;
 
 			if (chars > total_len)
 				chars = total_len;
@@ -408,9 +409,10 @@ pipe_read(struct kiocb *iocb, const stru
 
 			atomic = !iov_fault_in_pages_write(iov, chars);
 			remaining = chars;
+			offset = buf->offset;
 redo:
 			addr = ops->map(pipe, buf, atomic);
-			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
+			error = pipe_iov_copy_to_user(iov, addr, &offset,
 						      &remaining, atomic);
 			ops->unmap(pipe, buf, addr);
 			if (unlikely(error)) {
@@ -426,6 +428,7 @@ redo:
 				break;
 			}
 			ret += chars;
+			buf->offset += chars;
 			buf->len -= chars;
 
 			/* Was it a packet buffer? Clean up and exit */

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 811 bytes --]

Re: [PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read

[Willy Tarreau]

On Sat, Feb 13, 2016 at 06:42:26PM +0000, Ben Hutchings wrote:
> Quoting the RHEL advisory:
> 
> > It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> > offset and buffer length in sync on a failed atomic read, potentially
> > resulting in a pipe buffer state corruption. A local, unprivileged user
> > could use this flaw to crash the system or leak kernel memory to user
> > space. (CVE-2016-0774, Moderate)
> 
> The same flawed fix was applied to stable branches from 2.6.32.y to
> 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.  
> We need to give pipe_iov_copy_to_user() a separate offset variable
> and only update the buffer offset if it succeeds.

Queued for last 2.6.32, thanks Ben!
Willy

Re: [PATCH 2.6.32-3.14] pipe: Fix buffer offset after partially failed read

[Jiri Slaby]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 02/13/2016, 07:42 PM, Ben Hutchings wrote:
> Quoting the RHEL advisory:
> 
>> It was found that the fix for CVE-2015-1805 incorrectly kept
>> buffer offset and buffer length in sync on a failed atomic read,
>> potentially resulting in a pipe buffer state corruption. A local,
>> unprivileged user could use this flaw to crash the system or leak
>> kernel memory to user space. (CVE-2016-0774, Moderate)
> 
> The same flawed fix was applied to stable branches from 2.6.32.y
> to 3.14.y inclusive, and I was able to reproduce the issue on
> 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset
> variable and only update the buffer offset if it succeeds.
> 
> References: https://rhn.redhat.com/errata/RHSA-2016-0103.html 
> Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

Thanks, now applied to 3.12.

> --- a/fs/pipe.c +++ b/fs/pipe.c @@ -395,6 +395,7 @@
> pipe_read(struct kiocb *iocb, const stru void *addr; size_t chars =
> buf->len, remaining; int error, atomic; +			int offset;
> 
> if (chars > total_len) chars = total_len; @@ -408,9 +409,10 @@
> pipe_read(struct kiocb *iocb, const stru
> 
> atomic = !iov_fault_in_pages_write(iov, chars); remaining = chars; 
> +			offset = buf->offset; redo: addr = ops->map(pipe, buf,
> atomic); -			error = pipe_iov_copy_to_user(iov, addr,
> &buf->offset, +			error = pipe_iov_copy_to_user(iov, addr,
> &offset, &remaining, atomic); ops->unmap(pipe, buf, addr); if
> (unlikely(error)) { @@ -426,6 +428,7 @@ redo: break; } ret +=
> chars; +			buf->offset += chars; buf->len -= chars;
> 
> /* Was it a packet buffer? Clean up and exit */
> 


- -- 
js
suse labs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWwerBAAoJEL0lsQQGtHBJOiUP+we7/prNLum9mMEqxNvzswTn
6S+s70j8jDqD7q0oJ/M1iNGPQXGdO14khRCuJ2akTWHcUEaMVcCLZBchBQ7zoFlO
+5KpTugXOU8cm8b/UkoniU8GRtB61JwFPaYQWNBueLR55Cox72xWmJ4JfL863/zs
yz9OgzNrlrflAO2xplkXPCcXwDrgbFRiG9uNJ3rwvc6Y0+EPjA8YKyOXG7H/DZN1
blLxrRkWxuPXknf3OWADIUend3nYE5ehovxCl7ftKfJHbNSw3y1VDOgeC0fdbvNV
23fj9Ae8Gk/UsdxFSaVBfMvl6+D4349hpYPY9qKa4Ja4V72oQp0PCeXXpqWlxTWl
XGIt7LUUUf8TbHG76Xh/udhetPw76E36qfAX9R82Jv7UYQrsI7gDPMjvEFKrBuhG
SoajzN/h93gNzVxoF5DNYtEvIogAL4oTcJBM8FRAHoEqTR1F7HgBdxztOJRfBYWX
MPxoFQP/cA8DPaWskgHIkFp+3yvX4jZUvksNN+R4tNihqR0x4+/1NvTFMnIe25na
q1TbYH2qDZHg0zFjBEHwZMeGPBW3tdGioPwdibLcKX9zJ2WUJ6aG98/dJ3+mJ52C
6ynd7dueFSVGxafJKLePFuCdPEcj3UXPIBYvjMBzzN8Hpo/F5gv2+s5Nww+MOsme
ghhdNKiiK6qKOZkljyR2
=cXOd
-----END PGP SIGNATURE-----