| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 7 Jun 2016 15:50:18 +0200 From: Jiri Slaby <jslaby@...e.cz> To: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, linux-kernel@...r.kernel.org Cc: stable@...r.kernel.org, Ben Hutchings <ben@...adent.org.uk>, Willy Tarreau <w@....eu> Subject: Re: [PATCH 3.14 11/23] pipe: Fix buffer offset after partially failed read On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote: > 3.14-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Ben Hutchings <ben@...adent.org.uk> > > commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream. This is not a SHA of an upstream commit ;). > Quoting the RHEL advisory: > >> It was found that the fix for CVE-2015-1805 incorrectly kept buffer >> offset and buffer length in sync on a failed atomic read, potentially >> resulting in a pipe buffer state corruption. A local, unprivileged user >> could use this flaw to crash the system or leak kernel memory to user >> space. (CVE-2016-0774, Moderate) > > The same flawed fix was applied to stable branches from 2.6.32.y to > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. > We need to give pipe_iov_copy_to_user() a separate offset variable > and only update the buffer offset if it succeeds. > > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html > Signed-off-by: Ben Hutchings <ben@...adent.org.uk> > Cc: Willy Tarreau <w@....eu> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org> thanks, -- js suse labs
Powered by blists - more mailing lists