mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-22 06:04:57 -05:00
64 lines
2.0 KiB
Diff
64 lines
2.0 KiB
Diff
|
From b381fbc509052d07ccf8641fd7560a25d46aaf1e Mon Sep 17 00:00:00 2001
|
||
|
From: Ben Hutchings <ben@decadent.org.uk>
|
||
|
Date: Sat, 13 Feb 2016 02:34:52 +0000
|
||
|
Subject: pipe: Fix buffer offset after partially failed read
|
||
|
|
||
|
Quoting the RHEL advisory:
|
||
|
|
||
|
> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
|
||
|
> offset and buffer length in sync on a failed atomic read, potentially
|
||
|
> resulting in a pipe buffer state corruption. A local, unprivileged user
|
||
|
> could use this flaw to crash the system or leak kernel memory to user
|
||
|
> space. (CVE-2016-0774, Moderate)
|
||
|
|
||
|
The same flawed fix was applied to stable branches from 2.6.32.y to
|
||
|
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
|
||
|
We need to give pipe_iov_copy_to_user() a separate offset variable
|
||
|
and only update the buffer offset if it succeeds.
|
||
|
|
||
|
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
|
||
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
||
|
Cc: Jeffrey Vander Stoep <jeffv@google.com>
|
||
|
Signed-off-by: Zefan Li <lizefan@huawei.com>
|
||
|
---
|
||
|
fs/pipe.c | 5 ++++-
|
||
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
||
|
|
||
|
(limited to 'fs/pipe.c')
|
||
|
|
||
|
diff --git a/fs/pipe.c b/fs/pipe.c
|
||
|
index abfb935..6049235 100644
|
||
|
--- a/fs/pipe.c
|
||
|
+++ b/fs/pipe.c
|
||
|
@@ -390,6 +390,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
|
||
|
void *addr;
|
||
|
size_t chars = buf->len, remaining;
|
||
|
int error, atomic;
|
||
|
+ int offset;
|
||
|
|
||
|
if (chars > total_len)
|
||
|
chars = total_len;
|
||
|
@@ -403,9 +404,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
|
||
|
|
||
|
atomic = !iov_fault_in_pages_write(iov, chars);
|
||
|
remaining = chars;
|
||
|
+ offset = buf->offset;
|
||
|
redo:
|
||
|
addr = ops->map(pipe, buf, atomic);
|
||
|
- error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
|
||
|
+ error = pipe_iov_copy_to_user(iov, addr, &offset,
|
||
|
&remaining, atomic);
|
||
|
ops->unmap(pipe, buf, addr);
|
||
|
if (unlikely(error)) {
|
||
|
@@ -421,6 +423,7 @@ redo:
|
||
|
break;
|
||
|
}
|
||
|
ret += chars;
|
||
|
+ buf->offset += chars;
|
||
|
buf->len -= chars;
|
||
|
|
||
|
/* Was it a packet buffer? Clean up and exit */
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|