The (1) piperead and (2) pipewrite implementations in fs/pipe.c in the Linux kernel before 3.16 do not properly consider the side effects of failed _copytouserinatomic and _copyfromuserinatomic calls, which allows local users to cause a denial of service (system crash) or possibly gain privileges via a crafted application, aka an "I/O vector array overrun."