From: Daniel Phillips <phillips@phunq.net>
To: Pekka J Enberg <penberg@cs.helsinki.fi>
Cc: torvalds@linux-foundation.org, linux-kernel@vger.kernel.org,
stable@kernel.org, jens.axboe@oracle.com,
akpm@linux-foundation.org, bastian@waldi.eu.org,
ndenev@gmail.com, oliver.pntr@gmail.com
Subject: [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
Date: Sun, 10 Feb 2008 23:29:50 -0800 [thread overview]
Message-ID: <200802102329.50843.phillips@phunq.net> (raw)
In-Reply-To: <Pine.LNX.4.64.0802101644510.12440@sbz-30.cs.Helsinki.FI>
[-- Attachment #1: Type: text/plain, Size: 787 bytes --]
Kudos to all involved in the rapid response. But.
Information on patching this vulnerability is not available front and
center in many of the places you would expect: kernel.org front page,
debian.org front page, covered on planet.debian.org but without a
pointer to the patch, and so on. So this post provides a subject line
for Google to find, and for good measure mentions the word
vulnerability.
Also,
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953
I think many users would first go to kernel.org on a day like today, as
I did. Nothing to see there. We could do a way better job of getting
the word out.
Patch attached as posted above by Pekka. For the mortals among us:
cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1
Regards,
Daniel
[-- Attachment #2: fix.vmsplice.exploit.patch --]
[-- Type: text/x-diff, Size: 751 bytes --]
Cc: <stable@kernel.org>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can
you please confirm this closes the hole?
fs/splice.c | 3 +++
1 file changed, 3 insertions(+)
Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
if (unlikely(!base))
break;
+ if (unlikely(!access_ok(VERIFY_READ, base, len)))
+ break;
+
/*
* Get this base offset and number of pages, then map
* in the user pages.
next prev parent reply other threads:[~2008-02-11 7:30 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-02-10 14:47 [PATCH] splice: fix user pointer access in get_iovec_page_array() Pekka J Enberg
2008-02-10 15:17 ` Bastian Blank
2008-02-10 15:31 ` Oliver Pinter
2008-02-10 23:37 ` Willy Tarreau
2008-02-11 6:24 ` Oliver Pinter
2008-02-11 7:29 ` Daniel Phillips [this message]
2008-02-11 7:49 ` [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array) Pekka Enberg
2008-02-11 8:00 ` Daniel Phillips
2008-02-11 7:53 ` [stable] " Greg KH
2008-02-11 8:05 ` Daniel Phillips
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200802102329.50843.phillips@phunq.net \
--to=phillips@phunq.net \
--cc=akpm@linux-foundation.org \
--cc=bastian@waldi.eu.org \
--cc=jens.axboe@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ndenev@gmail.com \
--cc=oliver.pntr@gmail.com \
--cc=penberg@cs.helsinki.fi \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox