diff options
author | sanghyun.eom <sanghyun.eom@samsung.com> | 2016-04-26 09:31:59 +0900 |
---|---|---|
committer | sanghyun.eom <sanghyun.eom@samsung.com> | 2016-04-26 09:31:59 +0900 |
commit | 422da0f0d79d733450a7714b08b8561f9aeb5bd4 (patch) | |
tree | d2f4d8a7445949aed60eff02a303917c13bef991 | |
parent | ea56b309e63b38d13c989e32f284922417f705d1 (diff) |
pipe: Fix buffer offset after partially failed readandroid-wear-6.0.1_r0.37
BUG=28075928
Denial of Service Vulnerability in Kernel
CVE-2016-0774
https://android-review.googlesource.com/#/c/210720/
Quoting the RHEL advisory:
> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)
The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.
Signed-off-by: sanghyun.eom <sanghyun.eom@samsung.com>
-rw-r--r-- | fs/pipe.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/fs/pipe.c b/fs/pipe.c index 3e7ab278bb0c..50267e6ba688 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, void *addr; size_t chars = buf->len, remaining; int error, atomic; + int offset; if (chars > total_len) chars = total_len; @@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov, atomic = !iov_fault_in_pages_write(iov, chars); remaining = chars; + offset = buf->offset; redo: addr = ops->map(pipe, buf, atomic); - error = pipe_iov_copy_to_user(iov, addr, &buf->offset, + error = pipe_iov_copy_to_user(iov, addr, &offset, &remaining, atomic); ops->unmap(pipe, buf, addr); if (unlikely(error)) { @@ -432,6 +434,7 @@ redo: break; } ret += chars; + buf->offset += chars; buf->len -= chars; /* Was it a packet buffer? Clean up and exit */ |