lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 8 Feb 2008 18:48:54 +0100
From:	"Oliver Pinter" <oliver.pntr@...il.com>
To:	"Greg KH" <greg@...ah.com>
Cc:	torvalds@...ux-foundation.org,
	"Jens Axboe" <jens.axboe@...cle.com>,
	"Andrew Morton" <akpm@...ux-foundation.org>,
	cliph@...earch.coseinc.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10)

greg it's for .22 or the splice is changed between .22 and .23?

On 2/8/08, Greg KH <greg@...ah.com> wrote:
> From: Jens Axboe <jens.axboe@...cle.com>
>
> vmsplice_to_user() must always check the user pointer and length
> with access_ok() before copying. Likewise, for the slow path of
> copy_from_user_mmap_sem() we need to check that we may read from
> the user region.
>
> Signed-off-by: Jens Axboe <jens.axboe@...cle.com>
> Cc: Wojciech Purczynski <cliph@...earch.coseinc.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
> ---
>
> Linus, this fixes a security hole in splice that is now public.  I have
> it queued up for the .23 and .24 -stable releases as well.
>
>  fs/splice.c |    8 ++++++++
>  1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/fs/splice.c b/fs/splice.c
> index 4ee49e8..14e2262 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const
> void __user *src, size_t n)
>  {
>  	int partial;
>
> +	if (!access_ok(VERIFY_READ, src, n))
> +		return -EFAULT;
> +
>  	pagefault_disable();
>  	partial = __copy_from_user_inatomic(dst, src, n);
>  	pagefault_enable();
> @@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const
> struct iovec __user *iov,
>  			break;
>  		}
>
> +		if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> +			error = -EFAULT;
> +			break;
> +		}
> +
>  		sd.len = 0;
>  		sd.total_len = len;
>  		sd.flags = flags;
> --
> 1.5.4.22.g7a20
>
>
> --
> Jens Axboe
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
>


-- 
Thanks,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ