UPSTREAM: pipe: Fix buffer offset after partially failed read
Quoting the RHEL advisory:
> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)
The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from 3.2 -stable commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
BUG=chromium:597333
TEST=buildbots
Change-Id: I0c777fabffb418e9b4e33da0e65e378110fb6f45
Previous-Reviewed-on: https://chromium-review.googlesource.com/336833
(cherry picked from commit 24142fcc8b599825f40b37765260e834943d12cb)
Reviewed-on: https://chromium-review.googlesource.com/336858
Reviewed-by: Kevin Cernekee <cernekee@chromium.org>
Commit-Queue: Kevin Cernekee <cernekee@chromium.org>
Tested-by: Kevin Cernekee <cernekee@chromium.org>
1 file changed