[linux] 01/02: pipe: Fix buffer offset after partially failed read (CVE-2016-0774)

Sat Feb 13 19:10:56 UTC 2016

This is an automated email from the git hooks/post-receive script.

benh pushed a commit to branch squeeze-security
in repository linux.

commit 34cbb7fe295e0258d8e5052673b573fbfe95d896
Author: Ben Hutchings <ben at decadent.org.uk>
Date:   Sat Feb 13 18:56:05 2016 +0000

    pipe: Fix buffer offset after partially failed read (CVE-2016-0774)
---
 debian/changelog                                   |  6 +++
 ...buffer-offset-after-partially-failed-read.patch | 51 ++++++++++++++++++++++
 debian/patches/series/48squeeze20                  |  1 +
 3 files changed, 58 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index d9c8983..d161089 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+linux-2.6 (2.6.32-48squeeze20) UNRELEASED; urgency=medium
+
+  * pipe: Fix buffer offset after partially failed read (CVE-2016-0774)
+
+ -- Ben Hutchings <ben at decadent.org.uk>  Sat, 13 Feb 2016 18:55:35 +0000
+
 linux-2.6 (2.6.32-48squeeze19) squeeze-lts; urgency=medium
 
   * usb: serial: visor: fix crash on detecting device without write_urbs
diff --git a/debian/patches/bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch b/debian/patches/bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch
new file mode 100644
index 0000000..2dd10f1
--- /dev/null
+++ b/debian/patches/bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch
@@ -0,0 +1,51 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 13 Feb 2016 02:34:52 +0000
+Subject: pipe: Fix buffer offset after partially failed read
+Forwarded: not-needed
+
+Quoting the RHEL advisory:
+
+> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
+> offset and buffer length in sync on a failed atomic read, potentially
+> resulting in a pipe buffer state corruption. A local, unprivileged user
+> could use this flaw to crash the system or leak kernel memory to user
+> space. (CVE-2016-0774, Moderate)
+
+The same flawed fix was applied to stable branches from 2.6.32.y to
+3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
+We need to give pipe_iov_copy_to_user() a separate offset variable
+and only update the buffer offset if it succeeds.
+
+References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/fs/pipe.c
++++ b/fs/pipe.c
+@@ -360,6 +360,7 @@ pipe_read(struct kiocb *iocb, const stru
+ 			void *addr;
+ 			size_t chars = buf->len, remaining;
+ 			int error, atomic;
++			int offset;
+ 
+ 			if (chars > total_len)
+ 				chars = total_len;
+@@ -373,9 +374,10 @@ pipe_read(struct kiocb *iocb, const stru
+ 
+ 			atomic = !iov_fault_in_pages_write(iov, chars);
+ 			remaining = chars;
++			offset = buf->offset;
+ redo:
+ 			addr = ops->map(pipe, buf, atomic);
+-			error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
++			error = pipe_iov_copy_to_user(iov, addr, &offset,
+ 						      &remaining, atomic);
+ 			ops->unmap(pipe, buf, addr);
+ 			if (unlikely(error)) {
+@@ -391,6 +393,7 @@ redo:
+ 				break;
+ 			}
+ 			ret += chars;
++			buf->offset += chars;
+ 			buf->len -= chars;
+ 			if (!buf->len) {
+ 				buf->ops = NULL;
diff --git a/debian/patches/series/48squeeze20 b/debian/patches/series/48squeeze20
new file mode 100644
index 0000000..3cbc8dd
--- /dev/null
+++ b/debian/patches/series/48squeeze20
@@ -0,0 +1 @@
++ bugfix/all/pipe-fix-buffer-offset-after-partially-failed-read.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git

