shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-04-01 18:53:02 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
ece9210859abb2cc0126f8adbfbbdee668d4906a
linux/fs
History
Ben Hutchings 6b17faf3d5 pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic 
pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
the first time atomically and the second time not.  The second attempt
needs to continue from the iovec position, pipe buffer offset and
remaining length where the first attempt failed, but currently the
pipe buffer offset and remaining length are reset.  This will corrupt
the piped data (possibly also leading to an information leak between
processes) and may also corrupt kernel memory.

This was fixed upstream by commits f0d1bec9d5 ("new helper:
copy_page_from_iter()") and 637b58c288 ("switch pipe_read() to
copy_page_to_iter()"), but those aren't suitable for stable.  This fix
for older kernel versions was made by Seth Jennings for RHEL and I
have extracted it from their update.

CVE-2015-1805

References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2015-06-29 12:25:37 -07:00
..
9p
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-01-28 08:38:04 -08:00
adfs
adfs: delayed freeing of sbi
2013-10-24 23:43:27 -04:00
affs
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
afs
afs: proc cells and rootcell are writeable
2014-02-01 10:59:39 -08:00
autofs4
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
befs
befs: iget_locked() doesn't return an ERR_PTR
2014-01-25 03:14:38 -05:00
bfs
truncate: drop 'oldsize' truncate_pagecache() parameter
2013-09-12 15:38:02 -07:00
btrfs
btrfs: cleanup orphans while looking up default subvolume
2015-06-22 17:01:24 -07:00
cachefiles
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
ceph
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
cifs
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
coda
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
configfs
configfs: fix race between dentry put and lookup
2013-11-21 16:42:27 -08:00
cramfs
mm: remove read_cache_page_async()
2014-11-21 09:23:06 -08:00
debugfs
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
devpts
devpts: plug the memory leak in kill_sb
2013-11-13 12:09:36 +09:00
dlm
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
2014-01-25 11:17:34 -08:00
ecryptfs
eCryptfs: Remove buggy and unnecessary write in file name decode routine
2015-01-08 10:00:51 -08:00
efivarfs
consolidate simple ->d_delete() instances
2013-11-15 22:04:17 -05:00
efs
efs: get rid of ->put_super()
2014-01-25 03:13:02 -05:00
exofs
exofs: Print less in r4w
2014-01-23 18:54:14 +02:00
exportfs
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
ext2
ext2/3/4: use generic posix ACL infrastructure
2014-01-25 23:58:19 -05:00
ext3
ext3: Don't check quota format when there are no quota files
2014-11-14 09:00:09 -08:00
ext4
ext4: check for zero length extent explicitly
2015-06-06 08:19:36 -07:00
f2fs
mm: non-atomically mark page accessed during page cache allocation where possible
2015-01-29 17:40:52 -08:00
fat
fat: rcu-delay unloading nls and freeing sbi
2013-10-24 23:43:28 -04:00
freevxfs
[readdir] convert freevxfs
2013-06-29 12:56:53 +04:00
fscache
FS-Cache: Handle removal of unadded object to the fscache_object_list rb tree
2014-02-17 13:47:35 -08:00
fuse
fuse: notify: don't move pages
2015-03-26 15:06:53 +01:00
gfs2
mm: non-atomically mark page accessed during page cache allocation where possible
2015-01-29 17:40:52 -08:00
hfs
fs/hfs/btree.h: remove duplicate defines
2013-11-13 12:09:32 +09:00
hfsplus
hfsplus: fix B-tree corruption after insertion at position 0
2015-04-13 14:03:03 +02:00
hostfs
um: hostfs: make functions static
2014-01-26 11:51:09 +01:00
hpfs
hpfs: optimize quad buffer loading
2014-02-02 16:24:07 -08:00
hppfs
clean up scary strncpy(dst, src, strlen(src)) uses
2013-07-03 16:07:41 -07:00
hugetlbfs
hugetlb: ensure hugepage access is denied if hugepages are not supported
2014-10-09 12:21:27 -07:00
isofs
isofs: Fix unchecked printing of ER records
2015-01-08 10:00:49 -08:00
jbd
jbd: Revise KERN_EMERG error messages
2013-12-04 12:27:46 +01:00
jbd2
jbd2: fix r_count overflows leading to buffer overflow in journal recovery
2015-06-06 08:19:36 -07:00
jffs2
jffs2: fix handling of corrupted summary length
2015-03-06 14:43:32 -08:00
jfs
jfs: set i_ctime when setting ACL
2014-02-13 15:56:05 -06:00
kernfs
kernfs: add back missing error check in kernfs_fop_mmap()
2014-06-07 10:28:08 -07:00
lockd
LOCKD: Fix a race when initialising nlmsvc_timeout
2015-01-27 08:18:58 -08:00
logfs
Merge branch 'for-3.14/core' of git://git.kernel.dk/linux-block
2014-01-30 11:19:05 -08:00
minix
fs/minix: Drop dependency on H8300
2013-09-16 18:20:25 -07:00
ncpfs
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
nfs
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
nfs_common
nfs_common: Update the translation between nfsv3 acls linux posix acls
2013-02-13 06:15:14 -08:00
nfsd
nfsd4: fix xdr4 inclusion of escaped char
2015-01-16 06:59:33 -08:00
nilfs2
nilfs2: fix sanity check of btree level in nilfs_btree_root_broken()
2015-05-17 09:53:49 -07:00
nls
nls: have register_nls() set ->owner
2014-01-25 03:14:05 -05:00
notify
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
ntfs
mm: non-atomically mark page accessed during page cache allocation where possible
2015-01-29 17:40:52 -08:00
ocfs2
ocfs2: dlm: fix race between purge and get lock resource
2015-05-17 09:53:49 -07:00
omfs
fs, omfs: add NULL terminator in the end up the token list
2015-06-06 08:19:31 -07:00
openpromfs
[readdir] convert openpromfs
2013-06-29 12:56:32 +04:00
proc
proc/pagemap: walk page tables under pte lock
2015-04-29 10:31:56 +02:00
pstore
pstore: Fix NULL pointer fault if get NULL prz in ramoops_get_next_prz
2015-02-05 22:35:52 -08:00
qnx4
qnx4: clean qnx4_fill_super() up
2014-01-25 03:13:03 -05:00
qnx6
[readdir] convert qnx6
2013-06-29 12:56:39 +04:00
quota
quota: Properly return errors from dquot_writeback_dquots()
2014-11-14 09:00:09 -08:00
ramfs
fs/ramfs: move ramfs_aops to inode.c
2014-01-23 16:36:58 -08:00
reiserfs
reiserfs: call truncate_setsize under tailpack mutex
2014-07-06 18:57:29 -07:00
romfs
romfs: fix returm err while getting inode in fill_super
2014-01-23 16:37:04 -08:00
squashfs
Squashfs: fix failure to unlock pages on decompress error
2013-11-24 01:02:50 +00:00
sysfs
sysfs: make sure read buffer is zeroed
2014-06-07 10:28:24 -07:00
sysv
sysv: Add forgotten superblock lock init for v7 fs
2013-09-29 22:02:02 -04:00
ubifs
UBIFS: fix free log space calculation
2014-11-14 08:59:46 -08:00
udf
udf: Verify symlink size before loading it
2015-01-08 10:00:50 -08:00
ufs
truncate: drop 'oldsize' truncate_pagecache() parameter
2013-09-12 15:38:02 -07:00
xfs
xfs: Fix quota type in quota structures when reusing quota file
2015-03-06 14:43:31 -08:00
aio.c
ioctx_alloc(): fix vma (and file) leak on failure
2015-04-19 10:11:09 +02:00
anon_inodes.c
vfs: Allocate anon_inode_inode in anon_inode_init()
2014-03-27 09:52:54 -07:00
attr.c
fs,userns: Change inode_capable to capable_wrt_inode_uidgid
2014-06-16 13:40:32 -07:00
bad_inode.c
[readdir] ->readdir() is gone
2013-06-29 12:57:04 +04:00
binfmt_aout.c
dump_skip(): dump_seek() replacement taking coredump_params
2013-11-09 00:16:26 -05:00
binfmt_elf_fdpic.c
elf{,_fdpic} coredump: get rid of pointless if (siginfo->si_signo)
2013-11-09 00:16:30 -05:00
binfmt_elf.c
fs/binfmt_elf.c:load_elf_binary(): return -EINVAL on zero-length mappings
2015-06-06 08:19:40 -07:00
binfmt_em86.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
binfmt_flat.c
new helper: read_code()
2013-04-29 15:40:23 -04:00
binfmt_misc.c
binfmt_misc: reuse string_unescape_inplace()
2013-04-30 17:04:03 -07:00
binfmt_script.c
exec: do not leave bprm->interp on stack
2012-12-20 17:40:19 -08:00
binfmt_som.c
bio-integrity.c
bio-integrity: Drop bio_integrity_verify BUG_ON in post bip->bip_iter world
2014-02-21 15:56:36 -08:00
bio.c
block: Fix cloning of discard/write same bios
2014-02-11 08:40:45 -07:00
block_dev.c
Merge tag 'writeback-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/wfg/linux
2013-09-13 23:06:40 -04:00
buffer.c
mm: non-atomically mark page accessed during page cache allocation where possible
2015-01-29 17:40:52 -08:00
char_dev.c
Merge branch 'for-3.13/core' of git://git.kernel.dk/linux-block
2013-11-14 12:08:14 +09:00
compat_binfmt_elf.c
compat_ioctl.c
fs/compat_ioctl.c: fix an underflow issue (harmless)
2014-01-21 16:19:42 -08:00
compat.c
[readdir] constify ->actor
2013-06-29 12:57:05 +04:00
coredump.c
coredump: fix the setting of PF_DUMPCORE
2014-07-31 12:52:56 -07:00
dcache.c
d_walk() might skip too much
2015-06-06 08:19:32 -07:00
dcookies.c
fs/compat: fix lookup_dcookie() parameter handling
2014-01-29 16:22:40 -08:00
direct-io.c
block: Abstract out bvec iterator
2013-11-23 22:33:47 -08:00
drop_caches.c
shrinker: add node awareness
2013-09-10 18:56:31 -04:00
eventfd.c
eventfd_ctx_fdget(): use fdget() instead of fget()
2014-01-25 03:13:04 -05:00
eventpoll.c
eventpoll: fix uninitialized variable in epoll_ctl
2014-10-05 14:52:20 -07:00
exec.c
fs: take i_mutex during prepare_binprm for set[ug]id executables
2015-05-06 21:59:21 +02:00
fcntl.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
fhandle.c
vfs: read file_handle only once in handle_to_path
2015-06-06 08:19:40 -07:00
file_table.c
don't bother with {get,put}_write_access() on non-regular files
2014-05-31 13:20:29 -07:00
file.c
vfs: Don't let __fdget_pos() get FMODE_PATH files
2014-03-23 00:03:12 -04:00
filesystems.c
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
fs_struct.c
seqcount: Add lockdep functionality to seqcount/seqlock structures
2013-11-06 12:40:26 +01:00
fs-writeback.c
writeback: fix a subtle race condition in I_DIRTY clearing
2015-01-16 06:59:32 -08:00
inode.c
fs,userns: Change inode_capable to capable_wrt_inode_uidgid
2014-06-16 13:40:32 -07:00
internal.h
get rid of s_files and files_lock
2013-11-09 00:16:20 -05:00
ioctl.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
ioprio.c
block: Fix computation of merged request priority
2014-11-21 09:23:03 -08:00
Kconfig
fs: remove generic_acl
2014-01-26 08:26:40 -05:00
Kconfig.binfmt
fs: make binfmt support for #! scripts modular and removable
2013-04-30 17:04:04 -07:00
libfs.c
move d_rcu from overlapping d_child to overlapping d_alias
2015-04-29 10:31:54 +02:00
locks.c
locks: eliminate BUG() call when there's an unexpected lock on file close
2014-12-06 15:55:39 -08:00
Makefile
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2014-01-28 08:38:04 -08:00
mbcache.c
fs: convert fs shrinkers to new scan/count API
2013-09-10 18:56:31 -04:00
mount.h
switch mnt_hash to hlist
2014-03-30 19:18:51 -04:00
mpage.c
block: Abstract out bvec iterator
2013-11-23 22:33:47 -08:00
namei.c
RCU pathwalk breakage when running into a symlink overmounting something
2015-05-06 21:59:20 +02:00
namespace.c
mnt: Fix fs_fully_visible to verify the root directory is visible
2015-05-17 09:53:49 -07:00
no-block.c
open.c
NFS: fix BUG() crash in notify_change() with patch to chown_common()
2015-05-06 21:59:11 +02:00
pipe.c
pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic
2015-06-29 12:25:37 -07:00
pnode.c
get rid of propagate_umount() mistakenly treating slaves as busy.
2014-09-17 09:19:22 -07:00
pnode.h
smarter propagate_mnt()
2014-05-06 07:59:36 -07:00
posix_acl.c
posix_acl: handle NULL ACL in posix_acl_equiv_mode
2014-06-07 10:28:16 -07:00
proc_namespace.c
fs/proc_namespace.c: simplify testing nsp and nsp->mnt_ns
2014-01-23 16:37:02 -08:00
read_write.c
vfs: atomic f_pos access in llseek()
2014-03-23 00:03:12 -04:00
readdir.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
select.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
seq_file.c
seq_file: always clear m->count when we free m->buf
2013-11-18 19:07:53 -08:00
signalfd.c
switch signalfd{,4}() to COMPAT_SYSCALL_DEFINE
2013-03-03 22:58:46 -05:00
splice.c
fuse: fix pipe_buf_operations
2014-01-22 19:36:57 +01:00
stack.c
stat.c
vfs: split out vfs_getattr_nosec
2013-11-09 00:16:31 -05:00
statfs.c
vfs: allow O_PATH file descriptors for fstatfs()
2013-10-12 13:12:31 -07:00
super.c
fs/superblock: avoid locking counting inodes and dentries before reclaiming them
2014-11-21 09:23:07 -08:00
sync.c
Revert "writeback: do not sync data dirtied after sync start"
2014-02-22 02:02:28 +01:00
timerfd.c
timerfd: Add alarm timers
2013-05-29 12:57:34 -07:00
utimes.c
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
xattr.c
vfs: make lremovexattr retry once on ESTALE error
2012-12-20 18:50:11 -05:00