aboutsummaryrefslogtreecommitdiffstats
path: root/fs/fscache
diff options
context:
space:
mode:
authorBen Hutchings <ben@decadent.org.uk>2015-06-16 22:11:06 +0100
committerSimon Shields <keepcalm444@gmail.com>2016-03-19 14:02:17 +1100
commit9393c919cefaca29c13f5725492b8181d2358a2e (patch)
treeec7d6396a81003e650716640cc89200654065b55 /fs/fscache
parent1bbc15bdb1b3ee0cf511baace1b4e6042d6b22ab (diff)
downloadkernel_samsung_smdk4412-9393c919cefaca29c13f5725492b8181d2358a2e.tar.gz
kernel_samsung_smdk4412-9393c919cefaca29c13f5725492b8181d2358a2e.tar.bz2
kernel_samsung_smdk4412-9393c919cefaca29c13f5725492b8181d2358a2e.zip
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec, the first time atomically and the second time not. The second attempt needs to continue from the iovec position, pipe buffer offset and remaining length where the first attempt failed, but currently the pipe buffer offset and remaining length are reset. This will corrupt the piped data (possibly also leading to an information leak between processes) and may also corrupt kernel memory. This was fixed upstream by commits f0d1bec9d58d ("new helper: copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to copy_page_to_iter()"), but those aren't suitable for stable. This fix for older kernel versions was made by Seth Jennings for RHEL and I have extracted it from their update. CVE-2015-1805 Bug: 27275324 Change-Id: I459adb9076fcd50ff1f1c557089c4e421b036ec4 References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855 Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 85c34d007116f8a8aafb173966a605fb03532f45)
Diffstat (limited to 'fs/fscache')
0 files changed, 0 insertions, 0 deletions
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-02 13:35:11 +0000