On 06/05/2016, 11:40 PM, Greg Kroah-Hartman wrote: > 3.14-stable review patch. If anyone has any objections, please let me know. > > ------------------ > > From: Ben Hutchings <b...@decadent.org.uk> > > commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2 upstream.
This is not a SHA of an upstream commit ;). > Quoting the RHEL advisory: > >> It was found that the fix for CVE-2015-1805 incorrectly kept buffer >> offset and buffer length in sync on a failed atomic read, potentially >> resulting in a pipe buffer state corruption. A local, unprivileged user >> could use this flaw to crash the system or leak kernel memory to user >> space. (CVE-2016-0774, Moderate) > > The same flawed fix was applied to stable branches from 2.6.32.y to > 3.14.y inclusive, and I was able to reproduce the issue on 3.2.y. > We need to give pipe_iov_copy_to_user() a separate offset variable > and only update the buffer offset if it succeeds. > > References: https://rhn.redhat.com/errata/RHSA-2016-0103.html > Signed-off-by: Ben Hutchings <b...@decadent.org.uk> > Cc: Willy Tarreau <w...@1wt.eu> > Signed-off-by: Greg Kroah-Hartman <gre...@linuxfoundation.org> thanks, -- js suse labs
