review.tizen.org Git - profile/mobile/platform/kernel/linux-3.10-sc7730.git/commit

author	Ben Hutchings <ben@decadent.org.uk>
	Sat, 13 Feb 2016 02:34:52 +0000 (02:34 +0000)
committer	Seung-Woo Kim <sw0312.kim@samsung.com>
	Wed, 11 Oct 2017 10:02:37 +0000 (19:02 +0900)
commit	87ca3f0f81d45f3b6f7df70a551886f9e20e510e
tree	26c7c07fd31f7c6f8d2737b67fa1db4d3fadaccb	tree \| snapshot
parent	e2b2303af9958c3bdda18b8c5b850e6a99912783	commit \| diff

pipe: Fix buffer offset after partially failed read

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Willy Tarreau <w@1wt.eu>
[sw0312.kim: cherry-pick from linux-3.10.y to fix CVE-2016-0774]
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Change-Id: Ic84a2a8a62222e786a83459e51055213c48faa90