[PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
From: Daniel Phillips
Date: Mon Feb 11 2008 - 02:30:15 EST
Kudos to all involved in the rapid response. But.
Information on patching this vulnerability is not available front and
center in many of the places you would expect: kernel.org front page,
debian.org front page, covered on planet.debian.org but without a
pointer to the patch, and so on. So this post provides a subject line
for Google to find, and for good measure mentions the word
vulnerability.
Also,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
I think many users would first go to kernel.org on a day like today, as
I did. Nothing to see there. We could do a way better job of getting
the word out.
Patch attached as posted above by Pekka. For the mortals among us:
cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1
Regards,
Daniel
Cc: <stable@xxxxxxxxxx>
Cc: Jens Axboe <jens.axboe@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can
you please confirm this closes the hole?
fs/splice.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
if (unlikely(!base))
break;
+ if (unlikely(!access_ok(VERIFY_READ, base, len)))
+ break;
+
/*
* Get this base offset and number of pages, then map
* in the user pages.