Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752860AbYBJPRq (ORCPT ); Sun, 10 Feb 2008 10:17:46 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751521AbYBJPRi (ORCPT ); Sun, 10 Feb 2008 10:17:38 -0500 Received: from wavehammer.waldi.eu.org ([82.139.201.20]:32955 "EHLO wavehammer.waldi.eu.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751390AbYBJPRh (ORCPT ); Sun, 10 Feb 2008 10:17:37 -0500 Date: Sun, 10 Feb 2008 16:17:35 +0100 From: Bastian Blank To: Pekka J Enberg Cc: torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, stable@kernel.org, jens.axboe@oracle.com, akpm@linux-foundation.org, ndenev@gmail.com, oliver.pntr@gmail.com Subject: Re: [PATCH] splice: fix user pointer access in get_iovec_page_array() Message-ID: <20080210151735.GA2810@wavehammer.waldi.eu.org> Mail-Followup-To: Bastian Blank , Pekka J Enberg , torvalds@linux-foundation.org, linux-kernel@vger.kernel.org, stable@kernel.org, jens.axboe@oracle.com, akpm@linux-foundation.org, ndenev@gmail.com, oliver.pntr@gmail.com References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZGiS0Q5IWpPtfppv" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.13 (2006-08-11) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 2176 Lines: 65 --ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: > From: Bastian Blank >=20 > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user > pointer access verification") added access_ok() to copy_from_user_mmap_se= m() > which only ensures we can copy the struct iovecs from userspace to the ke= rnel > but we also must check whether we can access the actual memory region poi= nted > to by the struct iovec to close the local root exploit. >=20 > Cc: > Cc: Jens Axboe > Cc: Andrew Morton > Signed-off-by: Pekka Enberg Signed-off-by: Bastian Blank > Index: linux-2.6/fs/splice.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > --- linux-2.6.orig/fs/splice.c > +++ linux-2.6/fs/splice.c > @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st > if (unlikely(!base)) > break; > =20 > + if (unlikely(!access_ok(VERIFY_READ, base, len))) > + break; > + > /* > * Get this base offset and number of pages, then map > * in the user pages. --=20 Those who hate and fight must stop themselves -- otherwise it is not stoppe= d. -- Spock, "Day of the Dove", stardate unknown --ZGiS0Q5IWpPtfppv Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iEYEARECAAYFAkevFY8ACgkQnw66O/MvCNH0wQCfTqiiDfIUaGMGqXeF/ItmZ2Oh 8MQAnjTs1ZgeBskuquocx8QqarKk19+H =7yeo -----END PGP SIGNATURE----- --ZGiS0Q5IWpPtfppv-- -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/