login
Login / Register
Header Space

 
 

Home » Mailing list archives » linux-kernel » 2008 » February » 10

[PATCH] splice: fix user pointer access in get_iovec_page_array()

Score:
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Pekka J Enberg <penberg@...>
To: <torvalds@...>
Cc: <linux-kernel@...>, <stable@...>, <jens.axboe@...>, <akpm@...>, <bastian@...>, <ndenev@...>, <oliver.pntr@...>
Subject: [PATCH] splice: fix user pointer access in get_iovec_page_array()
Date: Sunday, February 10, 2008 - 10:47 am

From: Bastian Blank <bastian@waldi.eu.org>

The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added access_ok() to copy_from_user_mmap_sem()
which only ensures we can copy the struct iovecs from userspace to the kernel
but we also must check whether we can access the actual memory region pointed
to by the struct iovec to close the local root exploit.

Cc: <stable@kernel.org>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can 
you please confirm this closes the hole?

 fs/splice.c |    3 +++
 1 file changed, 3 insertions(+)

Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
 		if (unlikely(!base))
 			break;
 
+		if (unlikely(!access_ok(VERIFY_READ, base, len)))
+			break;
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
[PATCH] splice: fix user pointer access in get_iovec_page_ar..., Pekka J Enberg, (Sun Feb 10, 10:47 am)
[PATCH] vmsplice exploit fix (was: splice: fix user pointer ..., Daniel Phillips, (Mon Feb 11, 3:29 am)
Re: [PATCH] vmsplice exploit fix (was: splice: fix user poin..., Pekka Enberg, (Mon Feb 11, 3:49 am)
Re: [PATCH] vmsplice exploit fix (was: splice: fix user poin..., Daniel Phillips, (Mon Feb 11, 4:00 am)
Re: [stable] [PATCH] vmsplice exploit fix (was: splice: fix ..., Greg KH, (Mon Feb 11, 3:53 am)
Re: [stable] [PATCH] vmsplice exploit fix (was: splice: fix ..., Daniel Phillips, (Mon Feb 11, 4:05 am)
Re: [PATCH] splice: fix user pointer access in get_iovec_pag..., Willy Tarreau, (Sun Feb 10, 7:37 pm)
Re: [PATCH] splice: fix user pointer access in get_iovec_pag..., Oliver Pinter, (Mon Feb 11, 2:24 am)
Re: [PATCH] splice: fix user pointer access in get_iovec_pag..., Bastian Blank, (Sun Feb 10, 11:17 am)
Re: [PATCH] splice: fix user pointer access in get_iovec_pag..., Oliver Pinter, (Sun Feb 10, 11:31 am)

Mail archive search
Enter your search terms.
Optionally limit your search to a specific mailing list.
advanced
Colocation donated by:
Who's online
There are currently 7 users and 1345 guests online.

Online users

Syndicate
Syndicate content
© 2007 KernelTrap.  |  Powered by Drupal.  |  Legal statement.
speck-geostationary