summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'tags/2.6.20-5/26000_linux-2.6-cve-2008-0600.patch')
-rw-r--r--tags/2.6.20-5/26000_linux-2.6-cve-2008-0600.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/tags/2.6.20-5/26000_linux-2.6-cve-2008-0600.patch b/tags/2.6.20-5/26000_linux-2.6-cve-2008-0600.patch
new file mode 100644
index 0000000..b783259
--- /dev/null
+++ b/tags/2.6.20-5/26000_linux-2.6-cve-2008-0600.patch
@@ -0,0 +1,37 @@
+From: Bastian Blank <bastian@waldi.eu.org>
+Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200)
+Subject: splice: fix user pointer access in get_iovec_page_array()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44
+
+splice: fix user pointer access in get_iovec_page_array()
+
+Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added the proper access_ok() calls to
+copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
+from userspace to the kernel.
+
+But we also must check whether we can access the actual memory region
+pointed to by the struct iovec to fix the access checks properly.
+
+Signed-off-by: Bastian Blank <waldi@debian.org>
+Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/splice.c b/fs/splice.c
+index 14e2262..9b559ee 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+ if (unlikely(!len))
+ break;
+ error = -EFAULT;
+- if (unlikely(!base))
++ if (!access_ok(VERIFY_READ, base, len))
+ break;
+
+ /*
+