rendered paste bodycommit f6e993b835393543bab2d917f9dea75218473edd
Author: Oliver Pinter <oliver.pntr@gmail.com>
Date: Sun Feb 10 14:03:46 2008 +0100
[PATCH] vm: splice local root exploit fix for 2.6.22.y
Based on Bastian Blank's patch
Fix for CVE_2008_0009 and CVE_2008-0010
----->8-----
oliver@pancs:/tmp$ ./2617_26241_root_exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7f1a000 .. 0xb7f4c000
[-] vmsplice: Bad address
-----8<-----
Signed-off-by: Oliver Pinter <oliver.pntr@gmail.com>
diff --git a/fs/splice.c b/fs/splice.c
index e263d3b..d8b106e 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!base))
break;
+ /* CVE-2008-0009, CVE-2008-0010 fix */
+ if(!access_ok(VERIFY_READ, base, len)) {
+ error = -EFAULT;
+ break;
+ }
+
/*
* Get this base offset and number of pages, then map
* in the user pages.