DivestOS/Patches/Linux_CVEs/CVE-2016-0774/ANY/0.patch

From b381fbc509052d07ccf8641fd7560a25d46aaf1e Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 13 Feb 2016 02:34:52 +0000
Subject: pipe: Fix buffer offset after partially failed read

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Jeffrey Vander Stoep <jeffv@google.com>
Signed-off-by: Zefan Li <lizefan@huawei.com>
---
 fs/pipe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'fs/pipe.c')

diff --git a/fs/pipe.c b/fs/pipe.c
index abfb935..6049235 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -390,6 +390,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
 			void *addr;
 			size_t chars = buf->len, remaining;
 			int error, atomic;
+			int offset;
 
 			if (chars > total_len)
 				chars = total_len;
@@ -403,9 +404,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
 
 			atomic = !iov_fault_in_pages_write(iov, chars);
 			remaining = chars;
+			offset = buf->offset;
 redo:
 			addr = ops->map(pipe, buf, atomic);
-			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
+			error = pipe_iov_copy_to_user(iov, addr, &offset,
 						      &remaining, atomic);
 			ops->unmap(pipe, buf, addr);
 			if (unlikely(error)) {
@@ -421,6 +423,7 @@ redo:
 				break;
 			}
 			ret += chars;
+			buf->offset += chars;
 			buf->len -= chars;
 
 			/* Was it a packet buffer? Clean up and exit */
-- 
cgit v1.1
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From b381fbc509052d07ccf8641fd7560a25d46aaf1e Mon Sep 17 00:00:00 2001`
			`From: Ben Hutchings <ben@decadent.org.uk>`
			`Date: Sat, 13 Feb 2016 02:34:52 +0000`
			`Subject: pipe: Fix buffer offset after partially failed read`

			`Quoting the RHEL advisory:`

			`> It was found that the fix for CVE-2015-1805 incorrectly kept buffer`
			`> offset and buffer length in sync on a failed atomic read, potentially`
			`> resulting in a pipe buffer state corruption. A local, unprivileged user`
			`> could use this flaw to crash the system or leak kernel memory to user`
			`> space. (CVE-2016-0774, Moderate)`

			`The same flawed fix was applied to stable branches from 2.6.32.y to`
			`3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.`
			`We need to give pipe_iov_copy_to_user() a separate offset variable`
			`and only update the buffer offset if it succeeds.`

			`References: https://rhn.redhat.com/errata/RHSA-2016-0103.html`
			`Signed-off-by: Ben Hutchings <ben@decadent.org.uk>`
			`Cc: Jeffrey Vander Stoep <jeffv@google.com>`
			`Signed-off-by: Zefan Li <lizefan@huawei.com>`
			`---`
			`fs/pipe.c \| 5 ++++-`
			`1 file changed, 4 insertions(+), 1 deletion(-)`

			`(limited to 'fs/pipe.c')`

			`diff --git a/fs/pipe.c b/fs/pipe.c`
			`index abfb935..6049235 100644`
			`--- a/fs/pipe.c`
			`+++ b/fs/pipe.c`
			`@@ -390,6 +390,7 @@ pipe_read(struct kiocb iocb, const struct iovec _iov,`
			`void *addr;`
			`size_t chars = buf->len, remaining;`
			`int error, atomic;`
			`+ int offset;`

			`if (chars > total_len)`
			`chars = total_len;`
			`@@ -403,9 +404,10 @@ pipe_read(struct kiocb iocb, const struct iovec _iov,`

			`atomic = !iov_fault_in_pages_write(iov, chars);`
			`remaining = chars;`
			`+ offset = buf->offset;`
			`redo:`
			`addr = ops->map(pipe, buf, atomic);`
			`- error = pipe_iov_copy_to_user(iov, addr, &buf->offset,`
			`+ error = pipe_iov_copy_to_user(iov, addr, &offset,`
			`&remaining, atomic);`
			`ops->unmap(pipe, buf, addr);`
			`if (unlikely(error)) {`
			`@@ -421,6 +423,7 @@ redo:`
			`break;`
			`}`
			`ret += chars;`
			`+ buf->offset += chars;`
			`buf->len -= chars;`

			`/* Was it a packet buffer? Clean up and exit */`
			`--`
			`cgit v1.1`