From: Ben Hutchings Date: Sat, 13 Feb 2016 18:42:26 +0000 (+0000) Subject: pipe: Fix buffer offset after partially failed read X-Git-Tag: v2.6.32.71~41 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=42646fbfdee0717b3d4c164e15d31b608d6ece97;p=thirdparty%2Fkernel%2Fstable.git pipe: Fix buffer offset after partially failed read Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by: Ben Hutchings Signed-off-by: Willy Tarreau --- diff --git a/fs/pipe.c b/fs/pipe.c index daa71ea5eb812..d34cce99ac72e 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -360,6 +360,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, void *addr; size_t chars = buf->len, remaining; int error, atomic; + int offset; if (chars > total_len) chars = total_len; @@ -373,9 +374,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, atomic = !iov_fault_in_pages_write(iov, chars); remaining = chars; + offset = buf->offset; redo: addr = ops->map(pipe, buf, atomic); - error = pipe_iov_copy_to_user(iov, addr, &buf->offset, + error = pipe_iov_copy_to_user(iov, addr, &offset, &remaining, atomic); ops->unmap(pipe, buf, addr); if (unlikely(error)) { @@ -391,6 +393,7 @@ redo: break; } ret += chars; + buf->offset += chars; buf->len -= chars; if (!buf->len) { buf->ops = NULL;