From: Bastian Blank <bastian@waldi.eu.org>
The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user

pointer access verification") added access_ok() to copy_from_user_mmap_sem()

which only ensures we can copy the struct iovecs from userspace to the kernel

but we also must check whether we can access the actual memory region pointed

to by the struct iovec to close the local root exploit.
Cc: <stable@kernel.org>

Cc: Jens Axboe <jens.axboe@oracle.com>

Cc: Andrew Morton <akpm@linux-foundation.org>

Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>

---

Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can

you please confirm this closes the hole?
 fs/splice.c |    3 +++

 1 file changed, 3 insertions(+)
Index: linux-2.6/fs/splice.c

===================================================================

--- linux-2.6.orig/fs/splice.c

+++ linux-2.6/fs/splice.c

@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st

 		if (unlikely(!base))

 			break;
+		if (unlikely(!access_ok(VERIFY_READ, base, len)))

+			break;

+

 		/*

 		 * Get this base offset and number of pages, then map

 		 * in the user pages.

--

Kudos to all involved in the rapid response.  But.
Information on patching this vulnerability is not available front and

center in many of the places you would expect: kernel.org front page,

debian.org front page, covered on planet.debian.org but without a

pointer to the patch, and so on.  So this post provides a subject line

for Google to find, and for good measure mentions the word

vulnerability.
Also,
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
I think many users would first go to kernel.org on a day like today, as

I did.  Nothing to see there.  We could do a way better job of getting

the word out.
Patch attached as posted above by Pekka.  For the mortals among us:
   cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1
Regards,
Daniel

Hi Daniel,
Any suggestions what I could have done better here? As soon as Linus

merged the patch, I sent it to stable@kernel.org and expected

information to spread from there. I did also follow up on some vendor

bugzillas (Debian, RHEL, Fedora) to make sure they were aware of the

merged patch (they were).
                                    Pekka

--

You did your part flawlessly as far as I can see.  Really, your original

subject line was accurate, and lkml should not be the place to go to 
And they are no doubt getting kernel revs out at this very moment, that

part of the machine works great.  It is just the part about getting out

information to users who want to patch their own kernels that could be

done better.
Regards,
Daniel

--

All currently active Linux kernel versions are now released with a fix

for this problem.  We have released them through our normal channels,

with the needed information as to what the problem is, a pointer to the

CVE number, and the patch itself.
I don't think there's much more we need to do here, do you?
thanks,
greg k-h

--

No amount of information about such a thing is too much information.  We

do not need to do any more, but we can do more.
It is news, how about an entry in the kernel.org news section?  How

about a security alerts section on kernel.org?  There is a lot that can

be done to support people who want to patch their kernels as quickly as

possible.
Regards,
Daniel

--

Pekka, I confirm that it also closes the hole once backported to 2.6.22.
Willy
--

Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008

i686 GNU/Linux

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xb7f95000 .. 0xb7fc7000

[-] vmsplice: Bad address

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] addr: 0xc01112e9

[-] wtf
the patch is good for 2.6.22.y
--

Thanks,

Oliver

--

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
--=20

Those who hate and fight must stop themselves -- otherwise it is not stoppe=

d.

		-- Spock, "Day of the Dove", stardate unknown

Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
----8<----
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008

i686 GNU/Linux

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] mmap: 0x0 .. 0x1000

[+] page: 0x0

[+] page: 0x20

[+] mmap: 0x4000 .. 0x5000

[+] page: 0x4000

[+] page: 0x4020

[+] mmap: 0x1000 .. 0x2000

[+] page: 0x1000

[+] mmap: 0xb7f2d000 .. 0xb7f5f000

[-] vmsplice: Bad address
-----
oliver@pancs:/tmp$ uname -a && ./2623_2624_root_exploit

Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008

i686 GNU/Linux

-----------------------------------

 Linux vmsplice Local Root Exploit

 By qaaz

-----------------------------------

[+] addr: 0xc01112e9

[-] wtf
---->8----
--

Thanks,

Oliver

--