-
Jeff Vander Stoep authored
Previous upstream *stable* fix 14f81062 was incomplete. A local process can trigger a system crash with an OOB read on buf. This occurs when the state of buf gets out of sync. After an error in pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset but not buf->len. Upon retrying pipe_read() while in pipe_iov_copy_to_user() *remaining will be larger than the space left after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE, buf->offset = 0x300. This is fixed by not updating the state of buf->offset until after the full copy is completed, similar to how pipe_write() is implemented. For stable kernels < 3.16. Bug: 27721803 Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e Signed-off-by:
Jeff Vander Stoep <jeffv@google.com>
972c638b