OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
linux/fs
History
Ben Hutchings 6b17faf3d5 pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic 
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9d5 ("new helper:
copy_page_from_iter()") and 637b58c288 ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 		2015-06-29 12:25:37 -07:00
..
9p Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-01-28 08:38:04 -08:00
adfs adfs: delayed freeing of sbi 2013-10-24 23:43:27 -04:00
affs move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
afs afs: proc cells and rootcell are writeable 2014-02-01 10:59:39 -08:00
autofs4 move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
befs befs: iget_locked() doesn't return an ERR_PTR 2014-01-25 03:14:38 -05:00
bfs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
btrfs btrfs: cleanup orphans while looking up default subvolume 2015-06-22 17:01:24 -07:00
cachefiles Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
ceph move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
cifs move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
coda move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
configfs configfs: fix race between dentry put and lookup 2013-11-21 16:42:27 -08:00
cramfs mm: remove read_cache_page_async() 2014-11-21 09:23:06 -08:00
debugfs move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
devpts devpts: plug the memory leak in kill_sb 2013-11-13 12:09:36 +09:00
dlm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2014-01-25 11:17:34 -08:00
ecryptfs eCryptfs: Remove buggy and unnecessary write in file name decode routine 2015-01-08 10:00:51 -08:00
efivarfs consolidate simple ->d_delete() instances 2013-11-15 22:04:17 -05:00
efs efs: get rid of ->put_super() 2014-01-25 03:13:02 -05:00
exofs exofs: Print less in r4w 2014-01-23 18:54:14 +02:00
exportfs move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
ext2 ext2/3/4: use generic posix ACL infrastructure 2014-01-25 23:58:19 -05:00
ext3 ext3: Don't check quota format when there are no quota files 2014-11-14 09:00:09 -08:00
ext4 ext4: check for zero length extent explicitly 2015-06-06 08:19:36 -07:00
f2fs mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
fat fat: rcu-delay unloading nls and freeing sbi 2013-10-24 23:43:28 -04:00
freevxfs [readdir] convert freevxfs 2013-06-29 12:56:53 +04:00
fscache FS-Cache: Handle removal of unadded object to the fscache_object_list rb tree 2014-02-17 13:47:35 -08:00
fuse fuse: notify: don't move pages 2015-03-26 15:06:53 +01:00
gfs2 mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
hfs fs/hfs/btree.h: remove duplicate defines 2013-11-13 12:09:32 +09:00
hfsplus hfsplus: fix B-tree corruption after insertion at position 0 2015-04-13 14:03:03 +02:00
hostfs um: hostfs: make functions static 2014-01-26 11:51:09 +01:00
hpfs hpfs: optimize quad buffer loading 2014-02-02 16:24:07 -08:00
hppfs clean up scary strncpy(dst, src, strlen(src)) uses 2013-07-03 16:07:41 -07:00
hugetlbfs hugetlb: ensure hugepage access is denied if hugepages are not supported 2014-10-09 12:21:27 -07:00
isofs isofs: Fix unchecked printing of ER records 2015-01-08 10:00:49 -08:00
jbd jbd: Revise KERN_EMERG error messages 2013-12-04 12:27:46 +01:00
jbd2 jbd2: fix r_count overflows leading to buffer overflow in journal recovery 2015-06-06 08:19:36 -07:00
jffs2 jffs2: fix handling of corrupted summary length 2015-03-06 14:43:32 -08:00
jfs jfs: set i_ctime when setting ACL 2014-02-13 15:56:05 -06:00
kernfs kernfs: add back missing error check in kernfs_fop_mmap() 2014-06-07 10:28:08 -07:00
lockd LOCKD: Fix a race when initialising nlmsvc_timeout 2015-01-27 08:18:58 -08:00
logfs Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block 2014-01-30 11:19:05 -08:00
minix fs/minix: Drop dependency on H8300 2013-09-16 18:20:25 -07:00
ncpfs move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
nfs move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
nfs_common
nfsd nfsd4: fix xdr4 inclusion of escaped char 2015-01-16 06:59:33 -08:00
nilfs2 nilfs2: fix sanity check of btree level in nilfs_btree_root_broken() 2015-05-17 09:53:49 -07:00
nls nls: have register_nls() set ->owner 2014-01-25 03:14:05 -05:00
notify move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
ntfs mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
ocfs2 ocfs2: dlm: fix race between purge and get lock resource 2015-05-17 09:53:49 -07:00
omfs fs, omfs: add NULL terminator in the end up the token list 2015-06-06 08:19:31 -07:00
openpromfs [readdir] convert openpromfs 2013-06-29 12:56:32 +04:00
proc proc/pagemap: walk page tables under pte lock 2015-04-29 10:31:56 +02:00
pstore pstore: Fix NULL pointer fault if get NULL prz in ramoops_get_next_prz 2015-02-05 22:35:52 -08:00
qnx4 qnx4: clean qnx4_fill_super() up 2014-01-25 03:13:03 -05:00
qnx6 [readdir] convert qnx6 2013-06-29 12:56:39 +04:00
quota quota: Properly return errors from dquot_writeback_dquots() 2014-11-14 09:00:09 -08:00
ramfs fs/ramfs: move ramfs_aops to inode.c 2014-01-23 16:36:58 -08:00
reiserfs reiserfs: call truncate_setsize under tailpack mutex 2014-07-06 18:57:29 -07:00
romfs romfs: fix returm err while getting inode in fill_super 2014-01-23 16:37:04 -08:00
squashfs Squashfs: fix failure to unlock pages on decompress error 2013-11-24 01:02:50 +00:00
sysfs sysfs: make sure read buffer is zeroed 2014-06-07 10:28:24 -07:00
sysv sysv: Add forgotten superblock lock init for v7 fs 2013-09-29 22:02:02 -04:00
ubifs UBIFS: fix free log space calculation 2014-11-14 08:59:46 -08:00
udf udf: Verify symlink size before loading it 2015-01-08 10:00:50 -08:00
ufs truncate: drop 'oldsize' truncate_pagecache() parameter 2013-09-12 15:38:02 -07:00
xfs xfs: Fix quota type in quota structures when reusing quota file 2015-03-06 14:43:31 -08:00
Kconfig fs: remove generic_acl 2014-01-26 08:26:40 -05:00
Kconfig.binfmt
Makefile Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2014-01-28 08:38:04 -08:00
aio.c ioctx_alloc(): fix vma (and file) leak on failure 2015-04-19 10:11:09 +02:00
anon_inodes.c vfs: Allocate anon_inode_inode in anon_inode_init() 2014-03-27 09:52:54 -07:00
attr.c fs,userns: Change inode_capable to capable_wrt_inode_uidgid 2014-06-16 13:40:32 -07:00
bad_inode.c [readdir] ->readdir() is gone 2013-06-29 12:57:04 +04:00
binfmt_aout.c dump_skip(): dump_seek() replacement taking coredump_params 2013-11-09 00:16:26 -05:00
binfmt_elf.c fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings 2015-06-06 08:19:40 -07:00
binfmt_elf_fdpic.c elf{,_fdpic} coredump: get rid of pointless if (siginfo->si_signo) 2013-11-09 00:16:30 -05:00
binfmt_em86.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c bio-integrity: Drop bio_integrity_verify BUG_ON in post bip->bip_iter world 2014-02-21 15:56:36 -08:00
bio.c block: Fix cloning of discard/write same bios 2014-02-11 08:40:45 -07:00
block_dev.c a trivial writeback fix 2013-09-13 23:06:40 -04:00
buffer.c mm: non-atomically mark page accessed during page cache allocation where possible 2015-01-29 17:40:52 -08:00
char_dev.c Merge branch 'for-3.13/core' of git://git.kernel.dk/linux-block 2013-11-14 12:08:14 +09:00
compat.c [readdir] constify ->actor 2013-06-29 12:57:05 +04:00
compat_binfmt_elf.c
compat_ioctl.c fs/compat_ioctl.c: fix an underflow issue (harmless) 2014-01-21 16:19:42 -08:00
coredump.c coredump: fix the setting of PF_DUMPCORE 2014-07-31 12:52:56 -07:00
dcache.c d_walk() might skip too much 2015-06-06 08:19:32 -07:00
dcookies.c fs/compat: fix lookup_dcookie() parameter handling 2014-01-29 16:22:40 -08:00
direct-io.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
drop_caches.c shrinker: add node awareness 2013-09-10 18:56:31 -04:00
eventfd.c eventfd_ctx_fdget(): use fdget() instead of fget() 2014-01-25 03:13:04 -05:00
eventpoll.c eventpoll: fix uninitialized variable in epoll_ctl 2014-10-05 14:52:20 -07:00
exec.c fs: take i_mutex during prepare_binprm for set[ug]id executables 2015-05-06 21:59:21 +02:00
fcntl.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
fhandle.c vfs: read file_handle only once in handle_to_path 2015-06-06 08:19:40 -07:00
file.c vfs: Don't let __fdget_pos() get FMODE_PATH files 2014-03-23 00:03:12 -04:00
file_table.c don't bother with {get,put}_write_access() on non-regular files 2014-05-31 13:20:29 -07:00
filesystems.c
fs-writeback.c writeback: fix a subtle race condition in I_DIRTY clearing 2015-01-16 06:59:32 -08:00
fs_struct.c seqcount: Add lockdep functionality to seqcount/seqlock structures 2013-11-06 12:40:26 +01:00
inode.c fs,userns: Change inode_capable to capable_wrt_inode_uidgid 2014-06-16 13:40:32 -07:00
internal.h get rid of s_files and files_lock 2013-11-09 00:16:20 -05:00
ioctl.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
ioprio.c block: Fix computation of merged request priority 2014-11-21 09:23:03 -08:00
libfs.c move d_rcu from overlapping d_child to overlapping d_alias 2015-04-29 10:31:54 +02:00
locks.c locks: eliminate BUG() call when there's an unexpected lock on file close 2014-12-06 15:55:39 -08:00
mbcache.c fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
mount.h switch mnt_hash to hlist 2014-03-30 19:18:51 -04:00
mpage.c block: Abstract out bvec iterator 2013-11-23 22:33:47 -08:00
namei.c RCU pathwalk breakage when running into a symlink overmounting something 2015-05-06 21:59:20 +02:00
namespace.c mnt: Fix fs_fully_visible to verify the root directory is visible 2015-05-17 09:53:49 -07:00
no-block.c
open.c NFS: fix BUG() crash in notify_change() with patch to chown_common() 2015-05-06 21:59:11 +02:00
pipe.c pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic 2015-06-29 12:25:37 -07:00
pnode.c get rid of propagate_umount() mistakenly treating slaves as busy. 2014-09-17 09:19:22 -07:00
pnode.h smarter propagate_mnt() 2014-05-06 07:59:36 -07:00
posix_acl.c posix_acl: handle NULL ACL in posix_acl_equiv_mode 2014-06-07 10:28:16 -07:00
proc_namespace.c fs/proc_namespace.c: simplify testing nsp and nsp->mnt_ns 2014-01-23 16:37:02 -08:00
read_write.c vfs: atomic f_pos access in llseek() 2014-03-23 00:03:12 -04:00
readdir.c file->f_op is never NULL... 2013-10-24 23:34:54 -04:00
select.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2013-11-13 15:34:18 +09:00
seq_file.c seq_file: always clear m->count when we free m->buf 2013-11-18 19:07:53 -08:00
signalfd.c
splice.c fuse: fix pipe_buf_operations 2014-01-22 19:36:57 +01:00
stack.c
stat.c vfs: split out vfs_getattr_nosec 2013-11-09 00:16:31 -05:00
statfs.c vfs: allow O_PATH file descriptors for fstatfs() 2013-10-12 13:12:31 -07:00
super.c fs/superblock: avoid locking counting inodes and dentries before reclaiming them 2014-11-21 09:23:07 -08:00
sync.c Revert "writeback: do not sync data dirtied after sync start" 2014-02-22 02:02:28 +01:00
timerfd.c
utimes.c locks: break delegations on any attribute modification 2013-11-09 00:16:44 -05:00
xattr.c