CVE-2015-1805

kernel: pipe: iovec overrun leading to memory corruption

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The (1) pipe_read and (2) pipe_write implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed __copy_to_user_inatomic and __copy_from_user_inatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."

Vulnerabilidad en las implementaciones (1) pipe_read y (2) pipe_write en fs/pipe.c en el kernel de Linux en versiones anteriores a 3.16, no considera correctamente los efectos secundarios de llamadas __copy_to_user_inatomic y __copy_from_user_inatomic fallidas, lo que permite a usuarios locales provocar una denegación de servicio (caída del sistema) o posiblemente obtener privilegios a través de una aplicación manipulada, también conocida como una 'saturación del array del vector I/O'.

It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.

The kernel packages contain the Linux kernel, the core of any Linux operating system. A use-after-free flaw was found in the way the Linux kernel's SCTP implementation handled authentication key reference counting during INIT collisions. A remote attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system. It was found that the Linux kernel's implementation of vectored pipe read and write functionality did not take into account the I/O vectors that were already processed when retrying after a failed atomic access operation, potentially resulting in memory corruption due to an I/O vector array overrun. A local, unprivileged user could use this flaw to crash the system or, potentially, escalate their privileges on the system.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2015-02-17 CVE Reserved
2015-06-02 CVE Published
2016-04-20 First Exploit
2024-08-06 CVE Updated
2025-04-16 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-17: DEPRECATED: Code

CAPEC

References (42)

URL	Tag	Source
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=637b58c2887e5e57850865839cc75f59184b23d1	X_refsource_confirm
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f0d1bec9d58d4c038d0ac958c9af82be6eb18045	X_refsource_confirm
http://source.android.com/security/bulletin/2016-04-02.html	X_refsource_confirm
http://source.android.com/security/bulletin/2016-05-01.html	X_refsource_confirm
http://www.openwall.com/lists/oss-security/2015/06/06/2	Mailing List
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	X_refsource_confirm
http://www.securityfocus.com/bid/74951	Vdb Entry
http://www.securitytracker.com/id/1032454	Vdb Entry
https://github.com/torvalds/linux/commit/637b58c2887e5e57850865839cc75f59184b23d1	X_refsource_confirm
https://github.com/torvalds/linux/commit/f0d1bec9d58d4c038d0ac958c9af82be6eb18045	X_refsource_confirm

URL	Date	SRC
https://github.com/panyu6325/CVE-2015-1805	2016-04-20
https://github.com/ireshchaminda1/Android-Privilege-Escalation-Remote-Access-Vulnerability-CVE-2015-1805	2023-02-12
https://github.com/dosomder/iovyroot	2024-11-20
https://github.com/FloatingGuy/cve-2015-1805	2021-11-01
https://github.com/mobilelinux/iovy_root_research	2018-10-31

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00023.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00049.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00004.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00007.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00008.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00009.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00010.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00011.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00018.html	2018-01-05
http://lists.opensuse.org/opensuse-security-announce/2015-09/msg00021.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1042.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1081.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1082.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1120.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1137.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1138.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1190.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1199.html	2018-01-05
http://rhn.redhat.com/errata/RHSA-2015-1211.html	2018-01-05
http://www.debian.org/security/2015/dsa-3290	2018-01-05
http://www.ubuntu.com/usn/USN-2679-1	2018-01-05
http://www.ubuntu.com/usn/USN-2680-1	2018-01-05
http://www.ubuntu.com/usn/USN-2681-1	2018-01-05
http://www.ubuntu.com/usn/USN-2967-1	2018-01-05
http://www.ubuntu.com/usn/USN-2967-2	2018-01-05
https://bugzilla.redhat.com/show_bug.cgi?id=1202855	2015-07-07
https://access.redhat.com/security/cve/CVE-2015-1805	2015-07-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				4.4.3 Search vendor "Google" for product "Android" and version "4.4.3"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.0.1 Search vendor "Google" for product "Android" and version "5.0.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.1 Search vendor "Google" for product "Android" and version "5.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				5.1.1 Search vendor "Google" for product "Android" and version "5.1.1"		-		Affected
Google Search vendor "Google"		Android Search vendor "Google" for product "Android"				6.0 Search vendor "Google" for product "Android" and version "6.0"		-		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				<= 3.15.10 Search vendor "Linux" for product "Linux Kernel" and version " <= 3.15.10"		-		Affected