On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <[EMAIL PROTECTED]>
>
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
>
> Cc: <[EMAIL PROTECTED]>
> Cc: Jens Axboe <[EMAIL PROTECTED]>
> Cc: Andrew Morton <[EMAIL PROTECTED]>
> Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]>
Signed-off-by: Bastian Blank <[EMAIL PROTECTED]>
> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
> if (unlikely(!base))
> break;
>
> + if (unlikely(!access_ok(VERIFY_READ, base, len)))
> + break;
> +
> /*
> * Get this base offset and number of pages, then map
> * in the user pages.
--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
signature.asc
Description: Digital signature
