Kudos to all involved in the rapid response. But. Information on patching this vulnerability is not available front and center in many of the places you would expect: kernel.org front page, debian.org front page, covered on planet.debian.org but without a pointer to the patch, and so on. So this post provides a subject line for Google to find, and for good measure mentions the word vulnerability.
Also, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953 I think many users would first go to kernel.org on a day like today, as I did. Nothing to see there. We could do a way better job of getting the word out. Patch attached as posted above by Pekka. For the mortals among us: cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1 Regards, Daniel
Cc: <[EMAIL PROTECTED]> Cc: Jens Axboe <[EMAIL PROTECTED]> Cc: Andrew Morton <[EMAIL PROTECTED]> Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]> --- Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can you please confirm this closes the hole? fs/splice.c | 3 +++ 1 file changed, 3 insertions(+) Index: linux-2.6/fs/splice.c =================================================================== --- linux-2.6.orig/fs/splice.c +++ linux-2.6/fs/splice.c @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st if (unlikely(!base)) break; + if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages.
