Google Git
Sign in
android / kernel / exynos / android-wear-6.0.1_r0.39
tag95c673675c5c872b0f4a716f951702183148b57c
taggerThe Android Open Source Project <initial-contribution@android.com>Thu Aug 04 11:20:55 2016 -0700
object7ef21ae391d8e733ff711b0a51ba9159ae83605f 
Android Wear 6.0.1 Release 0.39
commit7ef21ae391d8e733ff711b0a51ba9159ae83605f[log] [tgz]
authorBen Hutchings <ben@decadent.org.uk>Sat Feb 13 02:34:52 2016 +0000
committerItsuki Yamashita <yamashitai@casio.co.jp>Mon May 09 11:10:13 2016 +0900
tree009ee19014ab85a46b975d46271af34a3130f850
parentda3debd528006907c888205a594e88b8783fac0c [diff]
pipe: Fix buffer offset after partially failed read

Quoting the RHEL advisory:

> It was found that the fix for CVE-2015-1805 incorrectly kept buffer
> offset and buffer length in sync on a failed atomic read, potentially
> resulting in a pipe buffer state corruption. A local, unprivileged user
> could use this flaw to crash the system or leak kernel memory to user
> space. (CVE-2016-0774, Moderate)

The same flawed fix was applied to stable branches from 2.6.32.y to
3.14.y inclusive, and I was able to reproduce the issue on 3.2.y.
We need to give pipe_iov_copy_to_user() a separate offset variable
and only update the buffer offset if it succeeds.

Change-Id: I988802f38acf40c7671fa0978880928b02d29b56
References: https://rhn.redhat.com/errata/RHSA-2016-0103.html
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
(cherry picked from commit feae3ca2e5e1a8f44aa6290255d3d9709985d0b2)
1 file changed
tree: 009ee19014ab85a46b975d46271af34a3130f850
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. build.config
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS