Skip to content
Snippets Groups Projects
Commit c1220552 authored by Ben Hutchings's avatar Ben Hutchings Committed by Patrick Tjin
Browse files

pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic 

pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9 ("new helper:
copy_page_from_iter()") and 637b58c2 ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

(cherry picked from commit f7ebfe91b806501808413c8473a300dff58ddbb5)

Bug: 27275324

Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4
References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855


Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b3623962
Branches
Tags
No related merge requests found
Show whitespace changes
Inline Side-by-side
Showing
with 32 additions and 23 deletions
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment