diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2015-06-15 03:51:55 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2015-08-07 00:32:15 +0100 |
commit | 75cf667b7fac08a7b21694adca7dff07361be68a (patch) | |
tree | 5be4cb98de626657314df194cf090dd7ce16bfb4 /net/ipv6 | |
parent | 9fa3f3e6f2a4f4797df5550a33ec5ac1088647e7 (diff) |
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not. The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset. This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.
This was fixed upstream by commits f0d1bec9d58d ("new helper:
copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable. This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.
CVE-2015-1805
References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'net/ipv6')
0 files changed, 0 insertions, 0 deletions