[kernel] r22742 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all

[Ben Hutchings]

Author: benh
Date: Sun Jun 14 19:45:15 2015
New Revision: 22742

Log:
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Sun Jun 14 18:17:19 2015	(r22741)
+++ dists/wheezy-security/linux/debian/changelog	Sun Jun 14 19:45:15 2015	(r22742)
@@ -1,3 +1,10 @@
+linux (3.2.68-1+deb7u2) UNRELEASED; urgency=medium
+
+  * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
+    (CVE-2015-1805)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sun, 14 Jun 2015 20:44:48 +0100
+
 linux (3.2.68-1+deb7u1) wheezy-security; urgency=high
 
   * IB/core: Prevent integer overflow in ib_umem_get address arithmetic

Added: dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch	Sun Jun 14 19:45:15 2015	(r22742)
@@ -0,0 +1,62 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 14 Jun 2015 18:45:08 +0100
+Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
+ as non-atomic
+
+pipe_iov_copy_{from,to}_user() may be called twice with the same
+iovec, so they must not modify it.  Currently, the second call will
+corrupt the piped data (possibly also leading to an information leak
+between processes) and may also corrupt kernel memory.
+
+This was fixed upstream by commits f0d1bec9d58d ("new helper:
+copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
+copy_page_to_iter()"), but those aren't suitable for stable.
+
+Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/pipe.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 8ca88fc..5495c4f 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -103,7 +103,7 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+ 
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
++pipe_iov_copy_from_user(void *to, const struct iovec *iov, unsigned long len,
+ 			int atomic)
+ {
+ 	unsigned long copy;
+@@ -122,15 +122,14 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ 		}
+ 		to += copy;
+ 		len -= copy;
+-		iov->iov_base += copy;
+-		iov->iov_len -= copy;
++		iov++;
+ 	}
+ 	return 0;
+ }
+ 
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-		      int atomic)
++pipe_iov_copy_to_user(const struct iovec *iov, const void *from,
++		      unsigned long len, int atomic)
+ {
+ 	unsigned long copy;
+ 
+@@ -148,8 +147,7 @@ pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+ 		}
+ 		from += copy;
+ 		len -= copy;
+-		iov->iov_base += copy;
+-		iov->iov_len -= copy;
++		iov++;
+ 	}
+ 	return 0;
+ }

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Sun Jun 14 18:17:19 2015	(r22741)
+++ dists/wheezy-security/linux/debian/patches/series	Sun Jun 14 19:45:15 2015	(r22742)
@@ -1166,3 +1166,4 @@
 bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
 bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
 bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
+bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch