Google Git
Sign in
android / kernel / mediatek / android-6.0.1_r0.75
tag47ba6e6671d215e942934c22716354932fb34454
taggerThe Android Open Source Project <initial-contribution@android.com>Tue May 03 10:13:07 2016 -0700
objectae53126d701dd66fe05abd45b40f4e4ee317ca05 
Android 6.0.1 release 0.75 (MOB30G,sprout)
commitae53126d701dd66fe05abd45b40f4e4ee317ca05[log] [tgz]
authorJeff Vander Stoep <jeffv@google.com>Wed Mar 23 15:32:14 2016 -0700
committerJin Qian <jinqian@google.com>Thu Mar 24 10:51:26 2016 -0700
tree6da9d1706fefa2dcdcffb84ca5b1b7afd4833978
parentf5ab0b3b97f39ea85b1575fe30519d08ab7ba6f0 [diff]
pipe: iovec: Fix OOB read in pipe_read()

Previous upstream *stable* fix 14f81062 was incomplete.

A local process can trigger a system crash with an OOB read on buf.
This occurs when the state of buf gets out of sync. After an error in
pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
but not buf->len. Upon retrying pipe_read() while in
pipe_iov_copy_to_user() *remaining will be larger than the space left
after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
buf->offset = 0x300.

This is fixed by not updating the state of buf->offset until after the
full copy is completed, similar to how pipe_write() is implemented.

For stable kernels < 3.16.

Bug: 27721803
Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
1 file changed
tree: 6da9d1706fefa2dcdcffb84ca5b1b7afd4833978
  1. android/
  2. arch/
  3. block/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .gitignore
  24. .mailmap
  25. Android.mk
  26. build.config
  27. build.config.svelte
  28. build.sh
  29. CleanSpec.mk
  30. COPYING
  31. CREDITS
  32. Kbuild
  33. Kconfig
  34. MAINTAINERS
  35. Makefile
  36. README
  37. REPORTING-BUGS