• Jeff Vander Stoep's avatar
    pipe: iovec: Fix OOB read in pipe_read() · 972c638b
    Jeff Vander Stoep authored
    
    
    Previous upstream *stable* fix 14f81062 was incomplete.
    
    A local process can trigger a system crash with an OOB read on buf.
    This occurs when the state of buf gets out of sync. After an error in
    pipe_iov_copy_to_user() read_pipe may exit having updated buf->offset
    but not buf->len. Upon retrying pipe_read() while in
    pipe_iov_copy_to_user() *remaining will be larger than the space left
    after buf->offset e.g. *remaing = PAGE_SIZE, buf->len = PAGE_SIZE,
    buf->offset = 0x300.
    
    This is fixed by not updating the state of buf->offset until after the
    full copy is completed, similar to how pipe_write() is implemented.
    
    For stable kernels < 3.16.
    
    Bug: 27721803
    Change-Id: Iefffbcc6cfd159dba69c31bcd98c6d5c1f21ff2e
    Signed-off-by: default avatarJeff Vander Stoep <jeffv@google.com>
    972c638b
pipe.c 29.3 KB