pipe: Fix buffer offset after partially failed read
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. Change-Id: I988802f38acf40c7671fa0978880928b02d29b56 References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by:Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit feae3ca2) Reviewed-on: http://mcrd1-22-pc.corpnet.asus/code-review/master/228173 Reviewed-by:
steve yang <steve2_yang@asus.com> Tested-by: ...
Please register or sign in to comment