[kernel] r22749 - dists/wheezy-security/linux/debian/patches/bugfix/all

Ben Hutchings benh at moszumanska.debian.org
Mon Jun 15 02:53:33 UTC 2015 

Author: benh
Date: Mon Jun 15 02:53:32 2015
New Revision: 22749

Log:
Replace my broken patch for CVE-2015-1805 with the fix used in RHEL

Modified:
   dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch

Modified: dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
==============================================================================
--- dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch	Sun Jun 14 23:56:56 2015	(r22748)
+++ dists/wheezy-security/linux/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch	Mon Jun 15 02:53:32 2015	(r22749)
@@ -1,62 +1,178 @@
 From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 14 Jun 2015 18:45:08 +0100
+Date: Mon, 15 Jun 2015 03:51:55 +0100
 Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
  as non-atomic
 
-pipe_iov_copy_{from,to}_user() may be called twice with the same
-iovec, so they must not modify it.  Currently, the second call will
-corrupt the piped data (possibly also leading to an information leak
-between processes) and may also corrupt kernel memory.
+pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
+the first time atomically and the second time not.  The second attempt
+needs to continue from the iovec position, pipe buffer offset and
+remaining length where the first attempt failed, but currently the
+pipe buffer offset and remaining length are reset.  This will corrupt
+the piped data (possibly also leading to an information leak between
+processes) and may also corrupt kernel memory.
 
 This was fixed upstream by commits f0d1bec9d58d ("new helper:
 copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
-copy_page_to_iter()"), but those aren't suitable for stable.
+copy_page_to_iter()"), but those aren't suitable for stable.  This fix
+for older kernel versions was made by Seth Jennings for RHEL and I
+have extracted it from their update.
 
+CVE-2015-1805
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
 Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
 Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
 ---
- fs/pipe.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
+ fs/pipe.c | 55 ++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
 
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 8ca88fc..5495c4f 100644
 --- a/fs/pipe.c
 +++ b/fs/pipe.c
-@@ -103,7 +103,7 @@ void pipe_wait(struct pipe_inode_info *pipe)
+@@ -103,25 +103,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
  }
  
  static int
 -pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
-+pipe_iov_copy_from_user(void *to, const struct iovec *iov, unsigned long len,
- 			int atomic)
+-			int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++			size_t *remaining, int atomic)
  {
  	unsigned long copy;
-@@ -122,15 +122,14 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+ 
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++			if (__copy_from_user_inatomic(addr + *offset,
++						      iov->iov_base, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_from_user(to, iov->iov_base, copy))
++			if (copy_from_user(addr + *offset,
++					   iov->iov_base, copy))
+ 				return -EFAULT;
  		}
- 		to += copy;
- 		len -= copy;
--		iov->iov_base += copy;
--		iov->iov_len -= copy;
-+		iov++;
+-		to += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
  	}
- 	return 0;
+@@ -129,25 +131,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
  }
  
  static int
 -pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
 -		      int atomic)
-+pipe_iov_copy_to_user(const struct iovec *iov, const void *from,
-+		      unsigned long len, int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++		      size_t *remaining, int atomic)
  {
  	unsigned long copy;
  
-@@ -148,8 +147,7 @@ pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+-	while (len > 0) {
++	while (*remaining > 0) {
+ 		while (!iov->iov_len)
+ 			iov++;
+-		copy = min_t(unsigned long, len, iov->iov_len);
++		copy = min_t(unsigned long, *remaining, iov->iov_len);
+ 
+ 		if (atomic) {
+-			if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++			if (__copy_to_user_inatomic(iov->iov_base,
++						    addr + *offset, copy))
+ 				return -EFAULT;
+ 		} else {
+-			if (copy_to_user(iov->iov_base, from, copy))
++			if (copy_to_user(iov->iov_base,
++					 addr + *offset, copy))
+ 				return -EFAULT;
  		}
- 		from += copy;
- 		len -= copy;
--		iov->iov_base += copy;
--		iov->iov_len -= copy;
-+		iov++;
+-		from += copy;
+-		len -= copy;
++		*offset += copy;
++		*remaining -= copy;
+ 		iov->iov_base += copy;
+ 		iov->iov_len -= copy;
  	}
- 	return 0;
+@@ -383,7 +387,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ 			struct pipe_buffer *buf = pipe->bufs + curbuf;
+ 			const struct pipe_buf_operations *ops = buf->ops;
+ 			void *addr;
+-			size_t chars = buf->len;
++			size_t chars = buf->len, remaining;
+ 			int error, atomic;
+ 
+ 			if (chars > total_len)
+@@ -397,9 +401,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
  }
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
++			remaining = chars;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+ 				/*
+@@ -414,7 +420,6 @@ redo:
+ 				break;
+ 			}
+ 			ret += chars;
+-			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
+@@ -521,6 +526,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 		if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ 			int error, atomic = 1;
+ 			void *addr;
++			size_t remaining = chars;
+ 
+ 			error = ops->confirm(pipe, buf);
+ 			if (error)
+@@ -529,8 +535,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ 			iov_fault_in_pages_read(iov, chars);
+ redo1:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_from_user(offset + addr, iov,
+-							chars, atomic);
++			error = pipe_iov_copy_from_user(addr, &offset, iov,
++							&remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			ret = error;
+ 			do_wakeup = 1;
+@@ -565,6 +571,8 @@ redo1:
+ 			struct page *page = pipe->tmp_page;
+ 			char *src;
+ 			int error, atomic = 1;
++			int offset = 0;
++			size_t remaining;
+ 
+ 			if (!page) {
+ 				page = alloc_page(GFP_HIGHUSER);
+@@ -585,14 +593,15 @@ redo1:
+ 				chars = total_len;
+ 
+ 			iov_fault_in_pages_read(iov, chars);
++			remaining = chars;
+ redo2:
+ 			if (atomic)
+ 				src = kmap_atomic(page, KM_USER0);
+ 			else
+ 				src = kmap(page);
+ 
+-			error = pipe_iov_copy_from_user(src, iov, chars,
+-							atomic);
++			error = pipe_iov_copy_from_user(src, &offset, iov,
++							&remaining, atomic);
+ 			if (atomic)
+ 				kunmap_atomic(src, KM_USER0);
+ 			else

More information about the Kernel-svn-changes mailing list