SOURCES (LINUX_2_6): kernel-vmsplice.patch (NEW) - vmsplice securi...

Sun, 10 Feb 2008 12:51:58 -0800 

Author: arekm                        Date: Sun Feb 10 20:55:46 2008 GMT
Module: SOURCES                       Tag: LINUX_2_6
---- Log message:
- vmsplice security fixes for 2.6.24

---- Files affected:
SOURCES:
   kernel-vmsplice.patch (NONE -> 1.1.4.2)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/kernel-vmsplice.patch
diff -u /dev/null SOURCES/kernel-vmsplice.patch:1.1.4.2
--- /dev/null   Sun Feb 10 21:55:46 2008
+++ SOURCES/kernel-vmsplice.patch       Sun Feb 10 21:55:41 2008
@@ -0,0 +1,76 @@
+commit 8811930dc74a503415b35c4a79d14fb0b408a361
+Author: Jens Axboe <[EMAIL PROTECTED]>
+Date:   Fri Feb 8 08:49:14 2008 -0800
+
+    splice: missing user pointer access verification
+    
+    vmsplice_to_user() must always check the user pointer and length
+    with access_ok() before copying. Likewise, for the slow path of
+    copy_from_user_mmap_sem() we need to check that we may read from
+    the user region.
+    
+    Signed-off-by: Jens Axboe <[EMAIL PROTECTED]>
+    Cc: Wojciech Purczynski <[EMAIL PROTECTED]>
+    Signed-off-by: Greg Kroah-Hartman <[EMAIL PROTECTED]>
+    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+diff --git a/fs/splice.c b/fs/splice.c
+index 4ee49e8..14e2262 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const void 
__user *src, size_t n)
+ {
+       int partial;
+ 
++      if (!access_ok(VERIFY_READ, src, n))
++              return -EFAULT;
++
+       pagefault_disable();
+       partial = __copy_from_user_inatomic(dst, src, n);
+       pagefault_enable();
+@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const 
struct iovec __user *iov,
+                       break;
+               }
+ 
++              if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
++                      error = -EFAULT;
++                      break;
++              }
++
+               sd.len = 0;
+               sd.total_len = len;
+               sd.flags = flags;
+commit 712a30e63c8066ed84385b12edbfb804f49cbc44
+Author: Bastian Blank <[EMAIL PROTECTED]>
+Date:   Sun Feb 10 16:47:57 2008 +0200
+
+    splice: fix user pointer access in get_iovec_page_array()
+    
+    Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+    pointer access verification") added the proper access_ok() calls to
+    copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
+    from userspace to the kernel.
+    
+    But we also must check whether we can access the actual memory region
+    pointed to by the struct iovec to fix the access checks properly.
+    
+    Signed-off-by: Bastian Blank <[EMAIL PROTECTED]>
+    Acked-by: Oliver Pinter <[EMAIL PROTECTED]>
+    Cc: Jens Axboe <[EMAIL PROTECTED]>
+    Cc: Andrew Morton <[EMAIL PROTECTED]>
+    Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]>
+    Signed-off-by: Linus Torvalds <[EMAIL PROTECTED]>
+
+diff --git a/fs/splice.c b/fs/splice.c
+index 14e2262..9b559ee 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec 
__user *iov,
+               if (unlikely(!len))
+                       break;
+               error = -EFAULT;
+-              if (unlikely(!base))
++              if (!access_ok(VERIFY_READ, base, len))
+                       break;
+ 
+               /*
================================================================
_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to