• Ben Hutchings's avatar
    pipe: Fix buffer offset after partially failed read · 42646fbf
    Ben Hutchings authored
    Quoting the RHEL advisory:
    
    > It was found that the fix for CVE-2015-1805 incorrectly kept buffer
    > offset and buffer length in sync on a failed atomic read, potentially
    > resulting in a pipe buffer state corruption. A local, unprivileged user
    > could use this flaw to crash the system or leak kernel memory to user
    > space. (CVE-2016-0774, Moderate)
    
    The same flawed fix was applied to stable branches from 2.6.32.y to
    3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
    We need to give pipe_iov_copy_to_user() a separate offset variable
    and only update the buffer offset if it succeeds.
    
    References: https://rhn.redhat.com/errata/RHSA-2016-0103.htmlSigned-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    42646fbf
pipe.c 25.5 KB