Home » Mailing list archives » linux-kernel » 2008 » February » 10

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

!MAILaRCHIVE_VOTE_RePLACE
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Niki Denev <ndenev@...>
To: Willy Tarreau <w@...>
Cc: <linux-kernel@...>, <jens.axboe@...>
Subject: Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
Date: Sunday, February 10, 2008 - 5:40 am

On Feb 10, 2008 1:38 AM, Niki Denev <ndenev@gmail.com> wrote:

this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.

--- fs/splice.c.orig	2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c	2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
 	struct pipe_inode_info *pipe;
 	struct page *pages[PIPE_BUFFERS];
 	struct partial_page partial[PIPE_BUFFERS];
+	int error;
+	long ret;
+	void __user *base;
+	size_t len;
 	struct splice_pipe_desc spd = {
 		.pages = pages,
 		.partial = partial,
@@ -1450,6 +1454,31 @@
 		.ops = &user_page_pipe_buf_ops,
 	};

+	error = ret = 0;
+
+	/*
+	 * Get user address base and length for this iovec.
+	 */
+	error = get_user(base, &iov->iov_base);
+	if (unlikely(error))
+		return error;
+	error = get_user(len, &iov->iov_len);
+	if (unlikely(error))
+		return error;
+
+	/*
+	 * Sanity check this iovec. 0 read succeeds.
+	 */
+	if (unlikely(!len))
+		return 0;
+	if (unlikely(!base)) {
+		return -EFAULT;	
+	}
+
+	if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+		return -EFAULT;
+	}
+
 	pipe = pipe_info(file->f_path.dentry->d_inode);
 	if (!pipe)
 		return -EBADF;
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
kernel 2.6.24.1 still vulnerable to the vmsplice local root ..., Niki Denev, (Sun Feb 10, 2:04 am)
Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Willy Tarreau, (Sun Feb 10, 2:32 am)
Re: kernel 2.6.24.1 still vulnerable to the vmsplice local r..., Niki Denev, (Sun Feb 10, 2:38 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 5:40 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:22 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 9:48 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:39 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Bastian Blank, (Sun Feb 10, 8:47 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 9:02 am)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Greg KH, (Sun Feb 10, 1:05 pm)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:48 pm)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Oliver Pinter, (Sun Feb 10, 1:44 pm)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the..., Pekka Enberg, (Sun Feb 10, 1:11 pm)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Niki Denev, (Sun Feb 10, 8:54 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice..., Oliver Pinter, (Sun Feb 10, 8:04 am)