[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <6101e8c40802081010w64d1c7act8b98694a029a325@mail.gmail.com>
Date: Fri, 8 Feb 2008 19:10:12 +0100
From: "Oliver Pinter" <oliver.pntr@...il.com>
To: "Greg KH" <greg@...ah.com>
Cc: torvalds@...ux-foundation.org,
"Jens Axboe" <jens.axboe@...cle.com>,
"Andrew Morton" <akpm@...ux-foundation.org>,
cliph@...earch.coseinc.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10)
hmm, when I good see, this is not for .22, and it (vmsplice_to_user)
is came with .23
On 2/8/08, Oliver Pinter <oliver.pntr@...il.com> wrote:
> greg it's for .22 or the splice is changed between .22 and .23?
>
> On 2/8/08, Greg KH <greg@...ah.com> wrote:
> > From: Jens Axboe <jens.axboe@...cle.com>
> >
> > vmsplice_to_user() must always check the user pointer and length
> > with access_ok() before copying. Likewise, for the slow path of
> > copy_from_user_mmap_sem() we need to check that we may read from
> > the user region.
> >
> > Signed-off-by: Jens Axboe <jens.axboe@...cle.com>
> > Cc: Wojciech Purczynski <cliph@...earch.coseinc.com>
> > Signed-off-by: Greg Kroah-Hartman <gregkh@...e.de>
> > ---
> >
> > Linus, this fixes a security hole in splice that is now public. I have
> > it queued up for the .23 and .24 -stable releases as well.
> >
> > fs/splice.c | 8 ++++++++
> > 1 files changed, 8 insertions(+), 0 deletions(-)
> >
> > diff --git a/fs/splice.c b/fs/splice.c
> > index 4ee49e8..14e2262 100644
> > --- a/fs/splice.c
> > +++ b/fs/splice.c
> > @@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const
> > void __user *src, size_t n)
> > {
> > int partial;
> >
> > + if (!access_ok(VERIFY_READ, src, n))
> > + return -EFAULT;
> > +
> > pagefault_disable();
> > partial = __copy_from_user_inatomic(dst, src, n);
> > pagefault_enable();
> > @@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file,
> const
> > struct iovec __user *iov,
> > break;
> > }
> >
> > + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> > + error = -EFAULT;
> > + break;
> > + }
> > +
> > sd.len = 0;
> > sd.total_len = len;
> > sd.flags = flags;
> > --
> > 1.5.4.22.g7a20
> >
> >
> > --
> > Jens Axboe
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo@...r.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
> >
>
>
> --
> Thanks,
> Oliver
>
--
Thanks,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists