pipe: Fix buffer offset after partially failed read
Ben Hutchings [Sat, 13 Feb 2016 02:34:52 +0000 (02:34 +0000)]
Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

Bug 1744232
Bug 200188096

Change-Id: I988802f38acf40c7671fa0978880928b02d29b56
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
Reviewed-on: http://git-master/r/1127903
GVS: Gerrit_Virtual_Submit
Reviewed-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Tested-by: David Dastous St Hilaire <ddastoussthi@nvidia.com>
Reviewed-by: Venkata Jagadish <vjagadish@nvidia.com>
Reviewed-by: Vinayak Pane <vpane@nvidia.com>

fs/pipe.c

index 3e7ab27..50267e6 100644 (file)
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -401,6 +401,7 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
                        void *addr;
                        size_t chars = buf->len, remaining;
                        int error, atomic;
+                       int offset;
 
                        if (chars > total_len)
                                chars = total_len;
@@ -414,9 +415,10 @@ pipe_read(struct kiocb *iocb, const struct iovec *_iov,
 
                        atomic = !iov_fault_in_pages_write(iov, chars);
                        remaining = chars;
+                       offset = buf->offset;
 redo:
                        addr = ops->map(pipe, buf, atomic);
-                       error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
+                       error = pipe_iov_copy_to_user(iov, addr, &offset,
                                                      &remaining, atomic);
                        ops->unmap(pipe, buf, addr);
                        if (unlikely(error)) {
@@ -432,6 +434,7 @@ redo:
                                break;
                        }
                        ret += chars;
+                       buf->offset += chars;
                        buf->len -= chars;
 
                        /* Was it a packet buffer? Clean up and exit */