LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Greg KH <greg@kroah.com>
To: torvalds@linux-foundation.org
Cc: Jens Axboe <jens.axboe@oracle.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	cliph@research.coseinc.com, linux-kernel@vger.kernel.org
Subject: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10)
Date: Fri, 8 Feb 2008 08:49:14 -0800	[thread overview]
Message-ID: <20080208164914.GB17072@kroah.com> (raw)
In-Reply-To: <20080208160203.GB23197@kernel.dk>

From: Jens Axboe <jens.axboe@oracle.com>

vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Cc: Wojciech Purczynski <cliph@research.coseinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

Linus, this fixes a security hole in splice that is now public.  I have
it queued up for the .23 and .24 -stable releases as well.

 fs/splice.c |    8 ++++++++
 1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/fs/splice.c b/fs/splice.c
index 4ee49e8..14e2262 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
 {
 	int partial;
 
+	if (!access_ok(VERIFY_READ, src, n))
+		return -EFAULT;
+
 	pagefault_disable();
 	partial = __copy_from_user_inatomic(dst, src, n);
 	pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
 			break;
 		}
 
+		if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+			error = -EFAULT;
+			break;
+		}
+
 		sd.len = 0;
 		sd.total_len = len;
 		sd.flags = flags;
-- 
1.5.4.22.g7a20


-- 
Jens Axboe

       reply	other threads:[~2008-02-08 16:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <0802051044200.29525@mjc.redhat.com>
     [not found] ` <20080205165301.1e0b8ad8.akpm@linux-foundation.org>
     [not found]   ` <20080206095510.GA15220@kernel.dk>
     [not found]     ` <20080207223146.GI19310@kroah.com>
     [not found]       ` <20080208160203.GB23197@kernel.dk>
2008-02-08 16:49         ` Greg KH [this message]
2008-02-08 17:48           ` Oliver Pinter
2008-02-08 18:09             ` Greg KH
2008-02-08 18:10             ` Oliver Pinter

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080208164914.GB17072@kroah.com \
    --to=greg@kroah.com \
    --cc=akpm@linux-foundation.org \
    --cc=cliph@research.coseinc.com \
    --cc=jens.axboe@oracle.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --subject='Re: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10)' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).