LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
* [PATCH] splice: fix user pointer access in get_iovec_page_array()
@ 2008-02-10 14:47 Pekka J Enberg
  2008-02-10 15:17 ` Bastian Blank
                   ` (2 more replies)
  0 siblings, 3 replies; 10+ messages in thread
From: Pekka J Enberg @ 2008-02-10 14:47 UTC (permalink / raw)
  To: torvalds
  Cc: linux-kernel, stable, jens.axboe, akpm, bastian, ndenev, oliver.pntr

From: Bastian Blank <bastian@waldi.eu.org>

The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added access_ok() to copy_from_user_mmap_sem()
which only ensures we can copy the struct iovecs from userspace to the kernel
but we also must check whether we can access the actual memory region pointed
to by the struct iovec to close the local root exploit.

Cc: <stable@kernel.org>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can 
you please confirm this closes the hole?

 fs/splice.c |    3 +++
 1 file changed, 3 insertions(+)

Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
 		if (unlikely(!base))
 			break;
 
+		if (unlikely(!access_ok(VERIFY_READ, base, len)))
+			break;
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
  2008-02-10 14:47 [PATCH] splice: fix user pointer access in get_iovec_page_array() Pekka J Enberg
@ 2008-02-10 15:17 ` Bastian Blank
  2008-02-10 15:31   ` Oliver Pinter
  2008-02-10 23:37 ` Willy Tarreau
  2008-02-11  7:29 ` [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array) Daniel Phillips
  2 siblings, 1 reply; 10+ messages in thread
From: Bastian Blank @ 2008-02-10 15:17 UTC (permalink / raw)
  To: Pekka J Enberg
  Cc: torvalds, linux-kernel, stable, jens.axboe, akpm, ndenev, oliver.pntr

[-- Attachment #1: Type: text/plain, Size: 1308 bytes --]

On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <bastian@waldi.eu.org>
> 
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
> 
> Cc: <stable@kernel.org>
> Cc: Jens Axboe <jens.axboe@oracle.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Bastian Blank <waldi@debian.org>

> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
>  		if (unlikely(!base))
>  			break;
>  
> +		if (unlikely(!access_ok(VERIFY_READ, base, len)))
> +			break;
> +
>  		/*
>  		 * Get this base offset and number of pages, then map
>  		 * in the user pages.

-- 
Those who hate and fight must stop themselves -- otherwise it is not stopped.
		-- Spock, "Day of the Dove", stardate unknown

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
  2008-02-10 15:17 ` Bastian Blank
@ 2008-02-10 15:31   ` Oliver Pinter
  0 siblings, 0 replies; 10+ messages in thread
From: Oliver Pinter @ 2008-02-10 15:31 UTC (permalink / raw)
  To: Bastian Blank, Pekka J Enberg, torvalds, linux-kernel, stable,
	jens.axboe, akpm, ndenev, oliver.pntr

Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>

----8<----

Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008
i686 GNU/Linux
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f2d000 .. 0xb7f5f000
[-] vmsplice: Bad address

-----

oliver@pancs:/tmp$ uname -a && ./2623_2624_root_exploit
Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008
i686 GNU/Linux
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] addr: 0xc01112e9
[-] wtf


---->8----
On 2/10/08, Bastian Blank <bastian@waldi.eu.org> wrote:
> On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> > From: Bastian Blank <bastian@waldi.eu.org>
> >
> > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> > pointer access verification") added access_ok() to
> copy_from_user_mmap_sem()
> > which only ensures we can copy the struct iovecs from userspace to the
> kernel
> > but we also must check whether we can access the actual memory region
> pointed
> > to by the struct iovec to close the local root exploit.
> >
> > Cc: <stable@kernel.org>
> > Cc: Jens Axboe <jens.axboe@oracle.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
> Signed-off-by: Bastian Blank <waldi@debian.org>
>
> > Index: linux-2.6/fs/splice.c
> > ===================================================================
> > --- linux-2.6.orig/fs/splice.c
> > +++ linux-2.6/fs/splice.c
> > @@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
> >  		if (unlikely(!base))
> >  			break;
> >
> > +		if (unlikely(!access_ok(VERIFY_READ, base, len)))
> > +			break;
> > +
> >  		/*
> >  		 * Get this base offset and number of pages, then map
> >  		 * in the user pages.
>
> --
> Those who hate and fight must stop themselves -- otherwise it is not
> stopped.
> 		-- Spock, "Day of the Dove", stardate unknown
>


-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
  2008-02-10 14:47 [PATCH] splice: fix user pointer access in get_iovec_page_array() Pekka J Enberg
  2008-02-10 15:17 ` Bastian Blank
@ 2008-02-10 23:37 ` Willy Tarreau
  2008-02-11  6:24   ` Oliver Pinter
  2008-02-11  7:29 ` [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array) Daniel Phillips
  2 siblings, 1 reply; 10+ messages in thread
From: Willy Tarreau @ 2008-02-10 23:37 UTC (permalink / raw)
  To: Pekka J Enberg
  Cc: torvalds, linux-kernel, stable, jens.axboe, akpm, bastian,
	ndenev, oliver.pntr

On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> From: Bastian Blank <bastian@waldi.eu.org>
> 
> The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> pointer access verification") added access_ok() to copy_from_user_mmap_sem()
> which only ensures we can copy the struct iovecs from userspace to the kernel
> but we also must check whether we can access the actual memory region pointed
> to by the struct iovec to close the local root exploit.
> 
> Cc: <stable@kernel.org>
> Cc: Jens Axboe <jens.axboe@oracle.com>
> Cc: Andrew Morton <akpm@linux-foundation.org>
> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
> ---
> Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can 
> you please confirm this closes the hole?

Pekka, I confirm that it also closes the hole once backported to 2.6.22.

Willy


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] splice: fix user pointer access in get_iovec_page_array()
  2008-02-10 23:37 ` Willy Tarreau
@ 2008-02-11  6:24   ` Oliver Pinter
  0 siblings, 0 replies; 10+ messages in thread
From: Oliver Pinter @ 2008-02-11  6:24 UTC (permalink / raw)
  To: Willy Tarreau
  Cc: Pekka J Enberg, torvalds, linux-kernel, stable, jens.axboe, akpm,
	bastian, ndenev

Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008
i686 GNU/Linux
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f95000 .. 0xb7fc7000
[-] vmsplice: Bad address
-----------------------------------
 Linux vmsplice Local Root Exploit
 By qaaz
-----------------------------------
[+] addr: 0xc01112e9
[-] wtf

the patch is good for 2.6.22.y

On 2/11/08, Willy Tarreau <w@1wt.eu> wrote:
> On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote:
> > From: Bastian Blank <bastian@waldi.eu.org>
> >
> > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
> > pointer access verification") added access_ok() to
> copy_from_user_mmap_sem()
> > which only ensures we can copy the struct iovecs from userspace to the
> kernel
> > but we also must check whether we can access the actual memory region
> pointed
> > to by the struct iovec to close the local root exploit.
> >
> > Cc: <stable@kernel.org>
> > Cc: Jens Axboe <jens.axboe@oracle.com>
> > Cc: Andrew Morton <akpm@linux-foundation.org>
> > Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
> > ---
> > Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can
> > you please confirm this closes the hole?
>
> Pekka, I confirm that it also closes the hole once backported to 2.6.22.
>
> Willy
>
>


-- 
Thanks,
Oliver

^ permalink raw reply	[flat|nested] 10+ messages in thread

* [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
  2008-02-10 14:47 [PATCH] splice: fix user pointer access in get_iovec_page_array() Pekka J Enberg
  2008-02-10 15:17 ` Bastian Blank
  2008-02-10 23:37 ` Willy Tarreau
@ 2008-02-11  7:29 ` Daniel Phillips
  2008-02-11  7:49   ` Pekka Enberg
  2008-02-11  7:53   ` [stable] " Greg KH
  2 siblings, 2 replies; 10+ messages in thread
From: Daniel Phillips @ 2008-02-11  7:29 UTC (permalink / raw)
  To: Pekka J Enberg
  Cc: torvalds, linux-kernel, stable, jens.axboe, akpm, bastian,
	ndenev, oliver.pntr

[-- Attachment #1: Type: text/plain, Size: 787 bytes --]

Kudos to all involved in the rapid response.  But.

Information on patching this vulnerability is not available front and 
center in many of the places you would expect: kernel.org front page, 
debian.org front page, covered on planet.debian.org but without a 
pointer to the patch, and so on.  So this post provides a subject line 
for Google to find, and for good measure mentions the word 
vulnerability.

Also,

   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953

I think many users would first go to kernel.org on a day like today, as 
I did.  Nothing to see there.  We could do a way better job of getting 
the word out.

Patch attached as posted above by Pekka.  For the mortals among us:

   cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1

Regards,

Daniel

[-- Attachment #2: fix.vmsplice.exploit.patch --]
[-- Type: text/x-diff, Size: 751 bytes --]

Cc: <stable@kernel.org>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can 
you please confirm this closes the hole?

 fs/splice.c |    3 +++
 1 file changed, 3 insertions(+)

Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
 		if (unlikely(!base))
 			break;
 
+		if (unlikely(!access_ok(VERIFY_READ, base, len)))
+			break;
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.


^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
  2008-02-11  7:29 ` [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array) Daniel Phillips
@ 2008-02-11  7:49   ` Pekka Enberg
  2008-02-11  8:00     ` Daniel Phillips
  2008-02-11  7:53   ` [stable] " Greg KH
  1 sibling, 1 reply; 10+ messages in thread
From: Pekka Enberg @ 2008-02-11  7:49 UTC (permalink / raw)
  To: Daniel Phillips
  Cc: torvalds, linux-kernel, stable, jens.axboe, akpm, bastian,
	ndenev, oliver.pntr

Hi Daniel,

On Feb 11, 2008 9:29 AM, Daniel Phillips <phillips@phunq.net> wrote:
> I think many users would first go to kernel.org on a day like today, as
> I did.  Nothing to see there.  We could do a way better job of getting
> the word out.

Any suggestions what I could have done better here? As soon as Linus
merged the patch, I sent it to stable@kernel.org and expected
information to spread from there. I did also follow up on some vendor
bugzillas (Debian, RHEL, Fedora) to make sure they were aware of the
merged patch (they were).

                                    Pekka

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [stable] [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
  2008-02-11  7:29 ` [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array) Daniel Phillips
  2008-02-11  7:49   ` Pekka Enberg
@ 2008-02-11  7:53   ` Greg KH
  2008-02-11  8:05     ` Daniel Phillips
  1 sibling, 1 reply; 10+ messages in thread
From: Greg KH @ 2008-02-11  7:53 UTC (permalink / raw)
  To: Daniel Phillips
  Cc: Pekka J Enberg, ndenev, bastian, linux-kernel, jens.axboe, akpm,
	oliver.pntr, torvalds, stable

On Sun, Feb 10, 2008 at 11:29:50PM -0800, Daniel Phillips wrote:
> Kudos to all involved in the rapid response.  But.
> 
> Information on patching this vulnerability is not available front and 
> center in many of the places you would expect: kernel.org front page, 
> debian.org front page, covered on planet.debian.org but without a 
> pointer to the patch, and so on.  So this post provides a subject line 
> for Google to find, and for good measure mentions the word 
> vulnerability.

All currently active Linux kernel versions are now released with a fix
for this problem.  We have released them through our normal channels,
with the needed information as to what the problem is, a pointer to the
CVE number, and the patch itself.

I don't think there's much more we need to do here, do you?

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
  2008-02-11  7:49   ` Pekka Enberg
@ 2008-02-11  8:00     ` Daniel Phillips
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel Phillips @ 2008-02-11  8:00 UTC (permalink / raw)
  To: Pekka Enberg
  Cc: torvalds, linux-kernel, stable, jens.axboe, akpm, bastian,
	ndenev, oliver.pntr

On Sunday 10 February 2008 23:49, Pekka Enberg wrote:
> Hi Daniel,
>
> On Feb 11, 2008 9:29 AM, Daniel Phillips <phillips@phunq.net> wrote:
> > I think many users would first go to kernel.org on a day like
> > today, as I did.  Nothing to see there.  We could do a way better
> > job of getting the word out.
>
> Any suggestions what I could have done better here?

You did your part flawlessly as far as I can see.  Really, your original 
subject line was accurate, and lkml should not be the place to go to 
find the patch, but it is.

> As soon as Linus 
> merged the patch, I sent it to stable@kernel.org and expected
> information to spread from there. I did also follow up on some vendor
> bugzillas (Debian, RHEL, Fedora) to make sure they were aware of the
> merged patch (they were).

And they are no doubt getting kernel revs out at this very moment, that 
part of the machine works great.  It is just the part about getting out 
information to users who want to patch their own kernels that could be 
done better.

Regards,

Daniel

^ permalink raw reply	[flat|nested] 10+ messages in thread

* Re: [stable] [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)
  2008-02-11  7:53   ` [stable] " Greg KH
@ 2008-02-11  8:05     ` Daniel Phillips
  0 siblings, 0 replies; 10+ messages in thread
From: Daniel Phillips @ 2008-02-11  8:05 UTC (permalink / raw)
  To: Greg KH
  Cc: Pekka J Enberg, ndenev, bastian, linux-kernel, jens.axboe, akpm,
	oliver.pntr, torvalds, stable

On Sunday 10 February 2008 23:53, Greg KH wrote:
> I don't think there's much more we need to do here, do you?

No amount of information about such a thing is too much information.  We 
do not need to do any more, but we can do more.

It is news, how about an entry in the kernel.org news section?  How 
about a security alerts section on kernel.org?  There is a lot that can 
be done to support people who want to patch their kernels as quickly as 
possible.

Regards,

Daniel

^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2008-02-11  8:05 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-10 14:47 [PATCH] splice: fix user pointer access in get_iovec_page_array() Pekka J Enberg
2008-02-10 15:17 ` Bastian Blank
2008-02-10 15:31   ` Oliver Pinter
2008-02-10 23:37 ` Willy Tarreau
2008-02-11  6:24   ` Oliver Pinter
2008-02-11  7:29 ` [PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array) Daniel Phillips
2008-02-11  7:49   ` Pekka Enberg
2008-02-11  8:00     ` Daniel Phillips
2008-02-11  7:53   ` [stable] " Greg KH
2008-02-11  8:05     ` Daniel Phillips

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).