[kernel] r22742 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Sun Jun 14 19:45:15 UTC 2015
Author: benh
Date: Sun Jun 14 19:45:15 2015
New Revision: 22742
Log:
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805)
Added:
dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
Modified:
dists/wheezy-security/linux/debian/changelog
dists/wheezy-security/linux/debian/patches/series
Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog Sun Jun 14 18:17:19 2015 (r22741)
+++ dists/wheezy-security/linux/debian/changelog Sun Jun 14 19:45:15 2015 (r22742)
@@ -1,3 +1,10 @@
+linux (3.2.68-1+deb7u2) UNRELEASED; urgency=medium
+
+ * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
+ (CVE-2015-1805)
+
+ -- Ben Hutchings <ben at decadent.org.uk> Sun, 14 Jun 2015 20:44:48 +0100
+
linux (3.2.68-1+deb7u1) wheezy-security; urgency=high
* IB/core: Prevent integer overflow in ib_umem_get address arithmetic
Added: dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch Sun Jun 14 19:45:15 2015 (r22742)
@@ -0,0 +1,62 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sun, 14 Jun 2015 18:45:08 +0100
+Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
+ as non-atomic
+
+pipe_iov_copy_{from,to}_user() may be called twice with the same
+iovec, so they must not modify it. Currently, the second call will
+corrupt the piped data (possibly also leading to an information leak
+between processes) and may also corrupt kernel memory.
+
+This was fixed upstream by commits f0d1bec9d58d ("new helper:
+copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
+copy_page_to_iter()"), but those aren't suitable for stable.
+
+Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+ fs/pipe.c | 12 +++++-------
+ 1 file changed, 5 insertions(+), 7 deletions(-)
+
+diff --git a/fs/pipe.c b/fs/pipe.c
+index 8ca88fc..5495c4f 100644
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -103,7 +103,7 @@ void pipe_wait(struct pipe_inode_info *pipe)
+ }
+
+ static int
+-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
++pipe_iov_copy_from_user(void *to, const struct iovec *iov, unsigned long len,
+ int atomic)
+ {
+ unsigned long copy;
+@@ -122,15 +122,14 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ }
+ to += copy;
+ len -= copy;
+- iov->iov_base += copy;
+- iov->iov_len -= copy;
++ iov++;
+ }
+ return 0;
+ }
+
+ static int
+-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+- int atomic)
++pipe_iov_copy_to_user(const struct iovec *iov, const void *from,
++ unsigned long len, int atomic)
+ {
+ unsigned long copy;
+
+@@ -148,8 +147,7 @@ pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+ }
+ from += copy;
+ len -= copy;
+- iov->iov_base += copy;
+- iov->iov_len -= copy;
++ iov++;
+ }
+ return 0;
+ }
Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series Sun Jun 14 18:17:19 2015 (r22741)
+++ dists/wheezy-security/linux/debian/patches/series Sun Jun 14 19:45:15 2015 (r22742)
@@ -1166,3 +1166,4 @@
bugfix/all/ipv6-don-t-reduce-hop-limit-for-an-interface.patch
bugfix/x86/crypto-aesni-fix-memory-usage-in-GCM-decryption.patch
bugfix/all/fs-take-i_mutex-during-prepare_binprm-for-set-ug-id-.patch
+bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
More information about the Kernel-svn-changes
mailing list