Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f95000 .. 0xb7fc7000 [-] vmsplice: Bad address --- Linux vmsplice Local Root Exploit By qaaz --- [+] addr: 0xc01112e9 [-] wtf the patch is good for 2.6.22.y On 2/11/08, Willy Tarreau <[EMAIL PROTECTED]> wrote: > On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: > > From: Bastian Blank <[EMAIL PROTECTED]> > > > > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user > > pointer access verification") added access_ok() to > copy_from_user_mmap_sem() > > which only ensures we can copy the struct iovecs from userspace to the > kernel > > but we also must check whether we can access the actual memory region > pointed > > to by the struct iovec to close the local root exploit. > > > > Cc: <[EMAIL PROTECTED]> > > Cc: Jens Axboe <[EMAIL PROTECTED]> > > Cc: Andrew Morton <[EMAIL PROTECTED]> > > Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]> > > --- > > Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can > > you please confirm this closes the hole? > > Pekka, I confirm that it also closes the hole once backported to 2.6.22. > > Willy > > -- Thanks, Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: > From: Bastian Blank <[EMAIL PROTECTED]> > > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user > pointer access verification") added access_ok() to copy_from_user_mmap_sem() > which only ensures we can copy the struct iovecs from userspace to the kernel > but we also must check whether we can access the actual memory region pointed > to by the struct iovec to close the local root exploit. > > Cc: <[EMAIL PROTECTED]> > Cc: Jens Axboe <[EMAIL PROTECTED]> > Cc: Andrew Morton <[EMAIL PROTECTED]> > Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]> > --- > Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can > you please confirm this closes the hole? Pekka, I confirm that it also closes the hole once backported to 2.6.22. Willy -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
Signed-off-by: Oliver Pinter <[EMAIL PROTECTED]> 8< Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f2d000 .. 0xb7f5f000 [-] vmsplice: Bad address - [EMAIL PROTECTED]:/tmp$ uname -a && ./2623_2624_root_exploit Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux --- Linux vmsplice Local Root Exploit By qaaz --- [+] addr: 0xc01112e9 [-] wtf >8 On 2/10/08, Bastian Blank <[EMAIL PROTECTED]> wrote: > On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: > > From: Bastian Blank <[EMAIL PROTECTED]> > > > > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user > > pointer access verification") added access_ok() to > copy_from_user_mmap_sem() > > which only ensures we can copy the struct iovecs from userspace to the > kernel > > but we also must check whether we can access the actual memory region > pointed > > to by the struct iovec to close the local root exploit. > > > > Cc: <[EMAIL PROTECTED]> > > Cc: Jens Axboe <[EMAIL PROTECTED]> > > Cc: Andrew Morton <[EMAIL PROTECTED]> > > Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]> > Signed-off-by: Bastian Blank <[EMAIL PROTECTED]> > > > Index: linux-2.6/fs/splice.c > > === > > --- linux-2.6.orig/fs/splice.c > > +++ linux-2.6/fs/splice.c > > @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st > > if (unlikely(!base)) > > break; > > > > + if (unlikely(!access_ok(VERIFY_READ, base, len))) > > + break; > > + > > /* > > * Get this base offset and number of pages, then map > > * in the user pages. > > -- > Those who hate and fight must stop themselves -- otherwise it is not > stopped. > -- Spock, "Day of the Dove", stardate unknown > -- Thanks, Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: > From: Bastian Blank <[EMAIL PROTECTED]> > > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user > pointer access verification") added access_ok() to copy_from_user_mmap_sem() > which only ensures we can copy the struct iovecs from userspace to the kernel > but we also must check whether we can access the actual memory region pointed > to by the struct iovec to close the local root exploit. > > Cc: <[EMAIL PROTECTED]> > Cc: Jens Axboe <[EMAIL PROTECTED]> > Cc: Andrew Morton <[EMAIL PROTECTED]> > Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]> Signed-off-by: Bastian Blank <[EMAIL PROTECTED]> > Index: linux-2.6/fs/splice.c > === > --- linux-2.6.orig/fs/splice.c > +++ linux-2.6/fs/splice.c > @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st > if (unlikely(!base)) > break; > > + if (unlikely(!access_ok(VERIFY_READ, base, len))) > + break; > + > /* >* Get this base offset and number of pages, then map >* in the user pages. -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, "Day of the Dove", stardate unknown signature.asc Description: Digital signature
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: From: Bastian Blank [EMAIL PROTECTED] The commit 8811930dc74a503415b35c4a79d14fb0b408a361 (splice: missing user pointer access verification) added access_ok() to copy_from_user_mmap_sem() which only ensures we can copy the struct iovecs from userspace to the kernel but we also must check whether we can access the actual memory region pointed to by the struct iovec to close the local root exploit. Cc: [EMAIL PROTECTED] Cc: Jens Axboe [EMAIL PROTECTED] Cc: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Pekka Enberg [EMAIL PROTECTED] Signed-off-by: Bastian Blank [EMAIL PROTECTED] Index: linux-2.6/fs/splice.c === --- linux-2.6.orig/fs/splice.c +++ linux-2.6/fs/splice.c @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st if (unlikely(!base)) break; + if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages. -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, Day of the Dove, stardate unknown signature.asc Description: Digital signature
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
Signed-off-by: Oliver Pinter [EMAIL PROTECTED] 8 Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f2d000 .. 0xb7f5f000 [-] vmsplice: Bad address - [EMAIL PROTECTED]:/tmp$ uname -a ./2623_2624_root_exploit Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux --- Linux vmsplice Local Root Exploit By qaaz --- [+] addr: 0xc01112e9 [-] wtf 8 On 2/10/08, Bastian Blank [EMAIL PROTECTED] wrote: On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: From: Bastian Blank [EMAIL PROTECTED] The commit 8811930dc74a503415b35c4a79d14fb0b408a361 (splice: missing user pointer access verification) added access_ok() to copy_from_user_mmap_sem() which only ensures we can copy the struct iovecs from userspace to the kernel but we also must check whether we can access the actual memory region pointed to by the struct iovec to close the local root exploit. Cc: [EMAIL PROTECTED] Cc: Jens Axboe [EMAIL PROTECTED] Cc: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Pekka Enberg [EMAIL PROTECTED] Signed-off-by: Bastian Blank [EMAIL PROTECTED] Index: linux-2.6/fs/splice.c === --- linux-2.6.orig/fs/splice.c +++ linux-2.6/fs/splice.c @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st if (unlikely(!base)) break; + if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages. -- Those who hate and fight must stop themselves -- otherwise it is not stopped. -- Spock, Day of the Dove, stardate unknown -- Thanks, Oliver -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: From: Bastian Blank [EMAIL PROTECTED] The commit 8811930dc74a503415b35c4a79d14fb0b408a361 (splice: missing user pointer access verification) added access_ok() to copy_from_user_mmap_sem() which only ensures we can copy the struct iovecs from userspace to the kernel but we also must check whether we can access the actual memory region pointed to by the struct iovec to close the local root exploit. Cc: [EMAIL PROTECTED] Cc: Jens Axboe [EMAIL PROTECTED] Cc: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Pekka Enberg [EMAIL PROTECTED] --- Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can you please confirm this closes the hole? Pekka, I confirm that it also closes the hole once backported to 2.6.22. Willy -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux --- Linux vmsplice Local Root Exploit By qaaz --- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f95000 .. 0xb7fc7000 [-] vmsplice: Bad address --- Linux vmsplice Local Root Exploit By qaaz --- [+] addr: 0xc01112e9 [-] wtf the patch is good for 2.6.22.y On 2/11/08, Willy Tarreau [EMAIL PROTECTED] wrote: On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: From: Bastian Blank [EMAIL PROTECTED] The commit 8811930dc74a503415b35c4a79d14fb0b408a361 (splice: missing user pointer access verification) added access_ok() to copy_from_user_mmap_sem() which only ensures we can copy the struct iovecs from userspace to the kernel but we also must check whether we can access the actual memory region pointed to by the struct iovec to close the local root exploit. Cc: [EMAIL PROTECTED] Cc: Jens Axboe [EMAIL PROTECTED] Cc: Andrew Morton [EMAIL PROTECTED] Signed-off-by: Pekka Enberg [EMAIL PROTECTED] --- Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can you please confirm this closes the hole? Pekka, I confirm that it also closes the hole once backported to 2.6.22. Willy -- Thanks, Oliver -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/