lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20080210151735.GA2810@wavehammer.waldi.eu.org>
Date:	Sun, 10 Feb 2008 16:17:35 +0100
From:	Bastian Blank <bastian@...di.eu.org>
To:	Pekka J Enberg <penberg@...helsinki.fi>
Cc:	torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org,
	stable@...nel.org, jens.axboe@...cle.com,
	akpm@...ux-foundation.org, ndenev@...il.com, oliver.pntr@...il.com
Subject: Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()

On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <bastian@...di.eu.org>
> 
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
> 
> Cc: <stable@...nel.org>
> Cc: Jens Axboe <jens.axboe@...cle.com>
> Cc: Andrew Morton <akpm@...ux-foundation.org>
> Signed-off-by: Pekka Enberg <penberg@...helsinki.fi>
Signed-off-by: Bastian Blank <waldi@...ian.org>

> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
>  		if (unlikely(!base))
>  			break;
>  
> +		if (unlikely(!access_ok(VERIFY_READ, base, len)))
> +			break;
> +
>  		/*
>  		 * Get this base offset and number of pages, then map
>  		 * in the user pages.

-- 
Those who hate and fight must stop themselves -- otherwise it is not stopped.
		-- Spock, "Day of the Dove", stardate unknown

Download attachment "signature.asc" of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ