pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
authorBen Hutchings <ben@decadent.org.uk>
Tue, 16 Jun 2015 21:11:06 +0000 (22:11 +0100)
committerMatthew Pedro <mapedro@nvidia.com>
Tue, 29 Mar 2016 17:00:36 +0000 (10:00 -0700)
commit5d78423f5051ddf0b94ca26e9d1c2e9d3e83a939
treed55726acbaf38c86ef94afb159076ee4ca6c5476
parent6458d55f01d9256959b13ea5791067407b82ed20
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic

pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9d58d ("new helper:
copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

Bug 1744232

References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 14f81062f365fa9e3839bb2a16862217b71a553c)
Change-Id: Ia5f97a4cfdaa2eb0e2a4974c2f04bc9a75934bd4
Reviewed-on: http://git-master/r/1111957
(cherry picked from commit e5bc77c0676277fd0b58ee469bd5638019a65d95)
Reviewed-on: http://git-master/r/1112337
GVS: Gerrit_Virtual_Submit
Tested-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Reviewed-by: Bharat Nihalani <bnihalani@nvidia.com>
fs/pipe.c