It was found that there are no size checks in the splice IO path, so it's possible to send a write past s_maxbytes to a filesystem. For ext4, at least, this ends badly, with a BUG_ON. A local unprivileged user could use this flaw to crash the system. Acknowledgements: Red Hat would like to thank Akira Fujita of NEC for reporting this issue. Upstream patches: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8d0207652cbe27d1f962050737848e5ad4671958 (this patch rearranges splice with a side effect of invoking generic_write_checks() along the way)
Statement: This issue does affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2. Future kernel updates for the respective releases may address this flaw.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0102 https://rhn.redhat.com/errata/RHSA-2015-0102.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2015:0164 https://rhn.redhat.com/errata/RHSA-2015-0164.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2015:0674 https://rhn.redhat.com/errata/RHSA-2015-0674.html
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2015:0694 https://rhn.redhat.com/errata/RHSA-2015-0694.html