[kernel] r22740 - in dists/squeeze-security/linux-2.6/debian: . patches/bugfix/all patches/series

Ben Hutchings benh at moszumanska.debian.org
Sun Jun 14 18:04:33 UTC 2015 

Author: benh
Date: Sun Jun 14 18:04:32 2015
New Revision: 22740

Log:
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805)

Added:
   dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
Modified:
   dists/squeeze-security/linux-2.6/debian/changelog
   dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12

Modified: dists/squeeze-security/linux-2.6/debian/changelog
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/changelog	Sun Jun 14 17:27:25 2015	(r22739)
+++ dists/squeeze-security/linux-2.6/debian/changelog	Sun Jun 14 18:04:32 2015	(r22740)
@@ -52,6 +52,8 @@
   * udf: Check path length when reading symlink (CVE-2014-9731)
   * udf: Check component length before reading it
     (CVE-2014-9728, CVE-2014-9730)
+  * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
+    (CVE-2015-1805)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Sun, 12 Apr 2015 17:12:31 +0100
 

Added: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch	Sun Jun 14 18:04:32 2015	(r22740)
@@ -0,0 +1,63 @@
+From 50a9195a47536c8775fd96bca8a1a684d9880622 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 14 Jun 2015 18:45:08 +0100
+Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
+ as non-atomic
+
+pipe_iov_copy_{from,to}_user() may be called twice with the same
+iovec, so they must not modify it.  Currently, the second call will
+corrupt the piped data (possibly also leading to an information leak
+between processes) and may also corrupt kernel memory.
+
+This was fixed upstream by commits f0d1bec9d58d ("new helper:
+copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
+copy_page_to_iter()"), but those aren't suitable for stable.
+
+Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/pipe.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 8ca88fc..5495c4f 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -90,7 +90,7 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
++pipe_iov_copy_from_user(void *to, const struct iovec *iov, unsigned long len,
+ 			int atomic)
+ {
+ 	unsigned long copy;
+@@ -109,15 +109,14 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ 		}
+ 		to += copy;
+ 		len -= copy;
+-		iov->iov_base += copy;
+-		iov->iov_len -= copy;
++		iov++;
+ 	}
+ 	return 0;
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(const struct iovec *iov, const void *from,
++		      unsigned long len, int atomic)
+ {
+ 	unsigned long copy;
+ 
+@@ -135,8 +134,7 @@ pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+ 		}
+ 		from += copy;
+ 		len -= copy;
+-		iov->iov_base += copy;
+-		iov->iov_len -= copy;
++		iov++;
+ 	}
+ 	return 0;
+ }

Modified: dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Jun 14 17:27:25 2015	(r22739)
+++ dists/squeeze-security/linux-2.6/debian/patches/series/48squeeze12	Sun Jun 14 18:04:32 2015	(r22740)
@@ -26,3 +26,4 @@
 + bugfix/all/udf-treat-symlink-component-of-type-2-as.patch
 + bugfix/all/udf-check-path-length-when-reading-symlink.patch
 + bugfix/all/udf-check-component-length-before-reading-it.patch
++ bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch

More information about the Kernel-svn-changes mailing list