[linux] 01/01: pipe: Fix buffer offset after partially failed read (CVE-2016-0774)

debian-kernel at lists.debian.org debian-kernel at lists.debian.org
Sat Feb 13 18:43:21 UTC 2016 

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch wheezy-security
in repository linux.

commit 6a89d8e8ab3e753ef22f95fab4187a1734911268
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Feb 13 17:34:18 2016 +0000

    pipe: Fix buffer offset after partially failed read (CVE-2016-0774)
---
 debian/changelog                                   |  1 +
 ...buffer-offset-after-partially-failed-read.patch | 51 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 53 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 0e6e2c9..2500ebb 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -18,6 +18,7 @@ linux (3.2.73-2+deb7u3) UNRELEASED; urgency=medium
     - XINO handles EINTR from the dying process
   * af_unix: Guard against other == sk in unix_dgram_sendmsg
     (regression in 3.2.73-2+deb7u1)
+  * pipe: Fix buffer offset after partially failed read (CVE-2016-0774)
 
   [ Salvatore Bonaccorso ]
   * unix: properly account for FDs passed over unix sockets (CVE-2013-4312)
diff --git a/debian/patches/bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch b/debian/patches/bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch
new file mode 100644
index 0000000..2cd1d94
--- /dev/null
+++ b/debian/patches/bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch
@@ -0,0 +1,51 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 13 Feb 2016 02:34:52 +0000
+Subject: pipe: Fix buffer offset after partially failed read
+Forwarded: not-needed
+
+Quoting the RHEL advisory:
+
+> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
+> offset and buffer length in sync on a failed atomic read, potentially
+> resulting in a pipe buffer state corruption. A local, unprivileged user
+> could use this flaw to crash the system or leak kernel memory to user
+> space. (CVE-2016-0774, Moderate)
+
+The same flawed fix was applied to stable branches from 2.6.32.y to
+3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
+We need to give pipe_iov_copy_to_user() a separate offset variable
+and only update the buffer offset if it succeeds.
+
+References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -395,6 +395,7 @@ pipe_read(struct kiocb *iocb, const stru
+ 			void *addr;
+ 			size_t chars = buf->len, remaining;
+ 			int error, atomic;
++			int offset;
+ 
+ 			if (chars > total_len)
+ 				chars = total_len;
+@@ -408,9 +409,10 @@ pipe_read(struct kiocb *iocb, const stru
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
+ 			remaining = chars;
++			offset = buf->offset;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++			error = pipe_iov_copy_to_user(iov, addr, &offset,
+ 						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+@@ -426,6 +428,7 @@ redo:
+ 				break;
+ 			}
+ 			ret += chars;
++			buf->offset += chars;
+ 			buf->len -= chars;
+ 
+ 			/* Was it a packet buffer? Clean up and exit */
diff --git a/debian/patches/series b/debian/patches/series
index 201e4da..8483951 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1203,3 +1203,4 @@ bugfix/all/iw_cxgb3-Fix-incorrectly-returning-error-on-success.patch
 bugfix/all/aufs-tiny-extract-a-new-func-xino_fwrite_wkq.patch
 bugfix/all/aufs-for-4.3-xino-handles-eintr-from-the-dying-proce.patch
 bugfix/all/af_unix-guard-against-other-sk-in-unix_dgram_sendmsg.patch
+bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

More information about the Kernel-svn-changes mailing list