aboutsummaryrefslogtreecommitdiffstats
path: root/fs/readdir.c
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2016-02-13 02:34:52 +0000
committerSimon Shields <keepcalm444@gmail.com>2016-04-05 18:18:17 +1000
commit632dc60cfc82c6b7b5ba129875c5a4cd20564ddb (patch)
treed2f509a131998ed26024ed148fae1e368229b270 /fs/readdir.c
parent3419d278c82828870f8f039ac429df389d0cb738 (diff)
downloadkernel_samsung_smdk4412-632dc60cfc82c6b7b5ba129875c5a4cd20564ddb.zip
kernel_samsung_smdk4412-632dc60cfc82c6b7b5ba129875c5a4cd20564ddb.tar.gz
kernel_samsung_smdk4412-632dc60cfc82c6b7b5ba129875c5a4cd20564ddb.tar.bz2
pipe: Fix buffer offset after partially failed read
Quoting the RHEL advisory: > It was found that the fix for CVE-2015-1805 incorrectly kept buffer > offset and buffer length in sync on a failed atomic read, potentially > resulting in a pipe buffer state corruption. A local, unprivileged user > could use this flaw to crash the system or leak kernel memory to user > space. (CVE-2016-0774, Moderate) The same flawed fix was applied to stable branches from 2.6.32.y to 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. We need to give pipe_iov_copy_to_user() a separate offset variable and only update the buffer offset if it succeeds. Change-Id: I988802f38acf40c7671fa0978880928b02d29b56 References: https://rhn.redhat.com/errata/RHSA-2016-0103.html Signed-off-by: Ben Hutchings <ben@decadent.org.uk> (cherry picked from commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
Diffstat (limited to 'fs/readdir.c')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.1 at 2025-01-08 19:37:24 +0000