Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
From: Bastian Blank
Date: Sun Feb 10 2008 - 10:17:50 EST
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <bastian@xxxxxxxxxxxx>
>
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
>
> Cc: <stable@xxxxxxxxxx>
> Cc: Jens Axboe <jens.axboe@xxxxxxxxxx>
> Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
Signed-off-by: Bastian Blank <waldi@xxxxxxxxxx>
> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
> if (unlikely(!base))
> break;
>
> + if (unlikely(!access_ok(VERIFY_READ, base, len)))
> + break;
> +
> /*
> * Get this base offset and number of pages, then map
> * in the user pages.
--
Those who hate and fight must stop themselves -- otherwise it is not stopped.
-- Spock, "Day of the Dove", stardate unknown
Attachment:
signature.asc
Description: Digital signature