aboutsummaryrefslogtreecommitdiffstats
path: root/fs/pipe.c
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2016-02-13 02:34:52 +0000
committerZefan Li <lizefan@huawei.com>2016-04-27 18:55:30 +0800
commitb381fbc509052d07ccf8641fd7560a25d46aaf1e (patch)
tree6c4b5e4ae9eb47c0ef3b60be38c78536e00cd8f2 /fs/pipe.c
parente08cc94c26fab53cf0d2c655ecdcaf39d31dd18a (diff)
pipe: Fix buffer offset after partially failed read
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Jeffrey Vander Stoep <jeffv@google.com> Signed-off-by: Zefan Li <lizefan@huawei.com>
Diffstat (limited to 'fs/pipe.c')
-rw-r--r--fs/pipe.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/pipe.c b/fs/pipe.c
index abfb935..6049235 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -390,6 +390,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
void *addr;
size_t chars = buf->len, remaining;
int error, atomic;
+ int offset;
if (chars > total_len)
chars = total_len;
@@ -403,9 +404,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
atomic = !iov_fault_in_pages_write(iov, chars);
remaining = chars;
+ offset = buf->offset;
redo:
addr = ops->map(pipe, buf, atomic);
- error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
+ error = pipe_iov_copy_to_user(iov, addr, &offset,
&remaining, atomic);
ops->unmap(pipe, buf, addr);
if (unlikely(error)) {
@@ -421,6 +423,7 @@ redo:
break;
}
ret += chars;
+ buf->offset += chars;
buf->len -= chars;
/* Was it a packet buffer? Clean up and exit */