Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 6dd76e62 authored by Ben Hutchings's avatar Ben Hutchings Committed by Gerrit - the friendly Code Review server
Browse files

pipe: Fix buffer offset after partially failed read 

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

Change-Id: Ibc4d13da6c463d02bd6ef7addc0fc871b6f63760
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html


Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Git-commit: feae3ca2e5e1a8f44aa6290255d3d9709985d0b2
Git-repo: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git


Signed-off-by: default avatarSrinivasarao P <spathi@codeaurora.org>
parent 6c22c7f7
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment