Skip to content
Snippets Groups Projects
Commit 422da0f0 authored by sanghyun.eom's avatar sanghyun.eom
Browse files

pipe: Fix buffer offset after partially failed read 

BUG=28075928

Denial of Service Vulnerability in Kernel
CVE-2016-0774
https://android-review.googlesource.com/#/c/210720/



Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

Signed-off-by: default avatarsanghyun.eom <sanghyun.eom@samsung.com>
parent ea56b309
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 4 additions and 1 deletion
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment