lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 07 Jun 2016 15:42:45 +0100
From:	Ben Hutchings <ben@...adent.org.uk>
To:	Jiri Slaby <jslaby@...e.cz>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
	linux-kernel@...r.kernel.org
Cc:	stable@...r.kernel.org, Willy Tarreau <w@....eu>
Subject: Re: [PATCH 3.14 11/23] pipe: Fix buffer offset after partially
 failed read

On Tue, 2016-06-07 at 15:50 +0200, Jiri Slaby wrote:
> On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote:
> > 3.14-stable review patch.  If anyone has any objections, please let
> > me know.
> > 
> > ------------------
> > 
> > From: Ben Hutchings <ben@...adent.org.uk>
> > 
> > commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
> 
> This is not a SHA of an upstream commit ;).

Indeed, that's from the stable/linux-3.2.y branch.  There is no
upstream commit since the bug was never introduced there.

Ben.

> > Quoting the RHEL advisory:
> > 
> > > It was found that the fix for CVE-2015-1805 incorrectly kept
> > > buffer
> > > offset and buffer length in sync on a failed atomic read,
> > > potentially
> > > resulting in a pipe buffer state corruption. A local,
> > > unprivileged user
> > > could use this flaw to crash the system or leak kernel memory to
> > > user
> > > space. (CVE-2016-0774, Moderate)
> > 
> > The same flawed fix was applied to stable branches from 2.6.32.y to
> > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
> > We need to give pipe_iov_copy_to_user() a separate offset variable
> > and only update the buffer offset if it succeeds.
> > 
> > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
> > Signed-off-by: Ben Hutchings <ben@...adent.org.uk>
> > Cc: Willy Tarreau <w@....eu>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> 
> thanks,
-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson

Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ