[kernel] r22751 - dists/squeeze-security/linux-2.6/debian/patches/bugfix/all
Ben Hutchings
benh at moszumanska.debian.org
Mon Jun 15 03:03:29 UTC 2015
Author: benh
Date: Mon Jun 15 03:03:28 2015
New Revision: 22751
Log:
Replace my broken patch for CVE-2015-1805 with the fix used in RHEL
Modified:
dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
Modified: dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch
==============================================================================
--- dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch Mon Jun 15 02:55:39 2015 (r22750)
+++ dists/squeeze-security/linux-2.6/debian/patches/bugfix/all/pipe-iovec-fix-memory-corruption-when-retrying-atomi.patch Mon Jun 15 03:03:28 2015 (r22751)
@@ -1,63 +1,178 @@
-From 50a9195a47536c8775fd96bca8a1a684d9880622 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben at decadent.org.uk>
-Date: Sun, 14 Jun 2015 18:45:08 +0100
+Date: Mon, 15 Jun 2015 03:51:55 +0100
Subject: [PATCH] pipe: iovec: Fix memory corruption when retrying atomic copy
as non-atomic
-pipe_iov_copy_{from,to}_user() may be called twice with the same
-iovec, so they must not modify it. Currently, the second call will
-corrupt the piped data (possibly also leading to an information leak
-between processes) and may also corrupt kernel memory.
+pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
+the first time atomically and the second time not. The second attempt
+needs to continue from the iovec position, pipe buffer offset and
+remaining length where the first attempt failed, but currently the
+pipe buffer offset and remaining length are reset. This will corrupt
+the piped data (possibly also leading to an information leak between
+processes) and may also corrupt kernel memory.
This was fixed upstream by commits f0d1bec9d58d ("new helper:
copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
-copy_page_to_iter()"), but those aren't suitable for stable.
+copy_page_to_iter()"), but those aren't suitable for stable. This fix
+for older kernel versions was made by Seth Jennings for RHEL and I
+have extracted it from their update.
+CVE-2015-1805
+
+References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Cc: stable <stable at vger.kernel.org> # 3.14 and earlier
Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
---
- fs/pipe.c | 12 +++++-------
- 1 file changed, 5 insertions(+), 7 deletions(-)
+ fs/pipe.c | 55 ++++++++++++++++++++++++++++++++-----------------------
+ 1 file changed, 32 insertions(+), 23 deletions(-)
-diff --git a/fs/pipe.c b/fs/pipe.c
-index 8ca88fc..5495c4f 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
-@@ -90,7 +90,7 @@ void pipe_wait(struct pipe_inode_info *pipe)
+@@ -90,25 +90,27 @@ void pipe_wait(struct pipe_inode_info *pipe)
}
static int
-pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
-+pipe_iov_copy_from_user(void *to, const struct iovec *iov, unsigned long len,
- int atomic)
+- int atomic)
++pipe_iov_copy_from_user(void *addr, int *offset, struct iovec *iov,
++ size_t *remaining, int atomic)
{
unsigned long copy;
-@@ -109,15 +109,14 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
+
+- while (len > 0) {
++ while (*remaining > 0) {
+ while (!iov->iov_len)
+ iov++;
+- copy = min_t(unsigned long, len, iov->iov_len);
++ copy = min_t(unsigned long, *remaining, iov->iov_len);
+
+ if (atomic) {
+- if (__copy_from_user_inatomic(to, iov->iov_base, copy))
++ if (__copy_from_user_inatomic(addr + *offset,
++ iov->iov_base, copy))
+ return -EFAULT;
+ } else {
+- if (copy_from_user(to, iov->iov_base, copy))
++ if (copy_from_user(addr + *offset,
++ iov->iov_base, copy))
+ return -EFAULT;
}
- to += copy;
- len -= copy;
-- iov->iov_base += copy;
-- iov->iov_len -= copy;
-+ iov++;
+- to += copy;
+- len -= copy;
++ *offset += copy;
++ *remaining -= copy;
+ iov->iov_base += copy;
+ iov->iov_len -= copy;
}
- return 0;
+@@ -116,25 +118,27 @@ pipe_iov_copy_from_user(void *to, struct iovec *iov, unsigned long len,
}
static int
-pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
- int atomic)
-+pipe_iov_copy_to_user(const struct iovec *iov, const void *from,
-+ unsigned long len, int atomic)
++pipe_iov_copy_to_user(struct iovec *iov, void *addr, int *offset,
++ size_t *remaining, int atomic)
{
unsigned long copy;
-@@ -135,8 +134,7 @@ pipe_iov_copy_to_user(struct iovec *iov, const void *from, unsigned long len,
+- while (len > 0) {
++ while (*remaining > 0) {
+ while (!iov->iov_len)
+ iov++;
+- copy = min_t(unsigned long, len, iov->iov_len);
++ copy = min_t(unsigned long, *remaining, iov->iov_len);
+
+ if (atomic) {
+- if (__copy_to_user_inatomic(iov->iov_base, from, copy))
++ if (__copy_to_user_inatomic(iov->iov_base,
++ addr + *offset, copy))
+ return -EFAULT;
+ } else {
+- if (copy_to_user(iov->iov_base, from, copy))
++ if (copy_to_user(iov->iov_base,
++ addr + *offset, copy))
+ return -EFAULT;
}
- from += copy;
- len -= copy;
-- iov->iov_base += copy;
-- iov->iov_len -= copy;
-+ iov++;
+- from += copy;
+- len -= copy;
++ *offset += copy;
++ *remaining -= copy;
+ iov->iov_base += copy;
+ iov->iov_len -= copy;
}
- return 0;
- }
+@@ -354,7 +358,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ struct pipe_buffer *buf = pipe->bufs + curbuf;
+ const struct pipe_buf_operations *ops = buf->ops;
+ void *addr;
+- size_t chars = buf->len;
++ size_t chars = buf->len, remaining;
+ int error, atomic;
+
+ if (chars > total_len)
+@@ -368,9 +372,11 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
+ }
+
+ atomic = !iov_fault_in_pages_write(iov, chars);
++ remaining = chars;
+ redo:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_to_user(iov, addr + buf->offset, chars, atomic);
++ error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ if (unlikely(error)) {
+ /*
+@@ -385,7 +391,6 @@ redo:
+ break;
+ }
+ ret += chars;
+- buf->offset += chars;
+ buf->len -= chars;
+ if (!buf->len) {
+ buf->ops = NULL;
+@@ -480,6 +485,7 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ if (ops->can_merge && offset + chars <= PAGE_SIZE) {
+ int error, atomic = 1;
+ void *addr;
++ size_t remaining = chars;
+
+ error = ops->confirm(pipe, buf);
+ if (error)
+@@ -488,8 +494,8 @@ pipe_write(struct kiocb *iocb, const struct iovec *_iov,
+ iov_fault_in_pages_read(iov, chars);
+ redo1:
+ addr = ops->map(pipe, buf, atomic);
+- error = pipe_iov_copy_from_user(offset + addr, iov,
+- chars, atomic);
++ error = pipe_iov_copy_from_user(addr, &offset, iov,
++ &remaining, atomic);
+ ops->unmap(pipe, buf, addr);
+ ret = error;
+ do_wakeup = 1;
+@@ -524,6 +530,8 @@ redo1:
+ struct page *page = pipe->tmp_page;
+ char *src;
+ int error, atomic = 1;
++ int offset = 0;
++ size_t remaining;
+
+ if (!page) {
+ page = alloc_page(GFP_HIGHUSER);
+@@ -544,14 +552,15 @@ redo1:
+ chars = total_len;
+
+ iov_fault_in_pages_read(iov, chars);
++ remaining = chars;
+ redo2:
+ if (atomic)
+ src = kmap_atomic(page, KM_USER0);
+ else
+ src = kmap(page);
+
+- error = pipe_iov_copy_from_user(src, iov, chars,
+- atomic);
++ error = pipe_iov_copy_from_user(src, &offset, iov,
++ &remaining, atomic);
+ if (atomic)
+ kunmap_atomic(src, KM_USER0);
+ else
More information about the Kernel-svn-changes
mailing list