From: Jens Axboe <[email protected]>
vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.
Signed-off-by: Jens Axboe <[email protected]>
Cc: Wojciech Purczynski <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
Linus, this fixes a security hole in splice that is now public. I have
it queued up for the .23 and .24 -stable releases as well.
fs/splice.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)
diff --git a/fs/splice.c b/fs/splice.c
index 4ee49e8..14e2262 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
{
int partial;
+ if (!access_ok(VERIFY_READ, src, n))
+ return -EFAULT;
+
pagefault_disable();
partial = __copy_from_user_inatomic(dst, src, n);
pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
break;
}
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ error = -EFAULT;
+ break;
+ }
+
sd.len = 0;
sd.total_len = len;
sd.flags = flags;
--
1.5.4.22.g7a20
--
Jens Axboe
greg it's for .22 or the splice is changed between .22 and .23?
On 2/8/08, Greg KH <[email protected]> wrote:
> From: Jens Axboe <[email protected]>
>
> vmsplice_to_user() must always check the user pointer and length
> with access_ok() before copying. Likewise, for the slow path of
> copy_from_user_mmap_sem() we need to check that we may read from
> the user region.
>
> Signed-off-by: Jens Axboe <[email protected]>
> Cc: Wojciech Purczynski <[email protected]>
> Signed-off-by: Greg Kroah-Hartman <[email protected]>
> ---
>
> Linus, this fixes a security hole in splice that is now public. I have
> it queued up for the .23 and .24 -stable releases as well.
>
> fs/splice.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/fs/splice.c b/fs/splice.c
> index 4ee49e8..14e2262 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const
> void __user *src, size_t n)
> {
> int partial;
>
> + if (!access_ok(VERIFY_READ, src, n))
> + return -EFAULT;
> +
> pagefault_disable();
> partial = __copy_from_user_inatomic(dst, src, n);
> pagefault_enable();
> @@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const
> struct iovec __user *iov,
> break;
> }
>
> + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> + error = -EFAULT;
> + break;
> + }
> +
> sd.len = 0;
> sd.total_len = len;
> sd.flags = flags;
> --
> 1.5.4.22.g7a20
>
>
> --
> Jens Axboe
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>
--
Thanks,
Oliver
hmm, when I good see, this is not for .22, and it (vmsplice_to_user)
is came with .23
On 2/8/08, Oliver Pinter <[email protected]> wrote:
> greg it's for .22 or the splice is changed between .22 and .23?
>
> On 2/8/08, Greg KH <[email protected]> wrote:
> > From: Jens Axboe <[email protected]>
> >
> > vmsplice_to_user() must always check the user pointer and length
> > with access_ok() before copying. Likewise, for the slow path of
> > copy_from_user_mmap_sem() we need to check that we may read from
> > the user region.
> >
> > Signed-off-by: Jens Axboe <[email protected]>
> > Cc: Wojciech Purczynski <[email protected]>
> > Signed-off-by: Greg Kroah-Hartman <[email protected]>
> > ---
> >
> > Linus, this fixes a security hole in splice that is now public. I have
> > it queued up for the .23 and .24 -stable releases as well.
> >
> > fs/splice.c | 8 ++++++++
> > 1 files changed, 8 insertions(+), 0 deletions(-)
> >
> > diff --git a/fs/splice.c b/fs/splice.c
> > index 4ee49e8..14e2262 100644
> > --- a/fs/splice.c
> > +++ b/fs/splice.c
> > @@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const
> > void __user *src, size_t n)
> > {
> > int partial;
> >
> > + if (!access_ok(VERIFY_READ, src, n))
> > + return -EFAULT;
> > +
> > pagefault_disable();
> > partial = __copy_from_user_inatomic(dst, src, n);
> > pagefault_enable();
> > @@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file,
> const
> > struct iovec __user *iov,
> > break;
> > }
> >
> > + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> > + error = -EFAULT;
> > + break;
> > + }
> > +
> > sd.len = 0;
> > sd.total_len = len;
> > sd.flags = flags;
> > --
> > 1.5.4.22.g7a20
> >
> >
> > --
> > Jens Axboe
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to [email protected]
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
> >
>
>
> --
> Thanks,
> Oliver
>
--
Thanks,
Oliver
On Fri, Feb 08, 2008 at 06:48:54PM +0100, Oliver Pinter wrote:
> greg it's for .22 or the splice is changed between .22 and .23?
splice changed for .23 and this only affects .23 and older kernels, so
.22 and older kernels do not have issues.
thanks,
greg k-h