Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Linux: Kernel

[PATCH] splice: missing user pointer access verification (CVE-2008-0009/10)

 

 

Linux kernel RSS feed   Index | Next | Previous | View Threaded


greg at kroah

Feb 8, 2008, 8:49 AM

Post #1 of 4 (8313 views)
Permalink
[PATCH] splice: missing user pointer access verification (CVE-2008-0009/10)

From: Jens Axboe <jens.axboe [at] oracle>

vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.

Signed-off-by: Jens Axboe <jens.axboe [at] oracle>
Cc: Wojciech Purczynski <cliph [at] research>
Signed-off-by: Greg Kroah-Hartman <gregkh [at] suse>
---

Linus, this fixes a security hole in splice that is now public. I have
it queued up for the .23 and .24 -stable releases as well.

fs/splice.c | 8 ++++++++
1 files changed, 8 insertions(+), 0 deletions(-)

diff --git a/fs/splice.c b/fs/splice.c
index 4ee49e8..14e2262 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
{
int partial;

+ if (!access_ok(VERIFY_READ, src, n))
+ return -EFAULT;
+
pagefault_disable();
partial = __copy_from_user_inatomic(dst, src, n);
pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
break;
}

+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ error = -EFAULT;
+ break;
+ }
+
sd.len = 0;
sd.total_len = len;
sd.flags = flags;
--
1.5.4.22.g7a20


--
Jens Axboe
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


oliver.pntr at gmail

Feb 8, 2008, 9:48 AM

Post #2 of 4 (7985 views)
Permalink
Re: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10) [In reply to]

greg it's for .22 or the splice is changed between .22 and .23?

On 2/8/08, Greg KH <greg [at] kroah> wrote:
> From: Jens Axboe <jens.axboe [at] oracle>
>
> vmsplice_to_user() must always check the user pointer and length
> with access_ok() before copying. Likewise, for the slow path of
> copy_from_user_mmap_sem() we need to check that we may read from
> the user region.
>
> Signed-off-by: Jens Axboe <jens.axboe [at] oracle>
> Cc: Wojciech Purczynski <cliph [at] research>
> Signed-off-by: Greg Kroah-Hartman <gregkh [at] suse>
> ---
>
> Linus, this fixes a security hole in splice that is now public. I have
> it queued up for the .23 and .24 -stable releases as well.
>
> fs/splice.c | 8 ++++++++
> 1 files changed, 8 insertions(+), 0 deletions(-)
>
> diff --git a/fs/splice.c b/fs/splice.c
> index 4ee49e8..14e2262 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const
> void __user *src, size_t n)
> {
> int partial;
>
> + if (!access_ok(VERIFY_READ, src, n))
> + return -EFAULT;
> +
> pagefault_disable();
> partial = __copy_from_user_inatomic(dst, src, n);
> pagefault_enable();
> @@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const
> struct iovec __user *iov,
> break;
> }
>
> + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> + error = -EFAULT;
> + break;
> + }
> +
> sd.len = 0;
> sd.total_len = len;
> sd.flags = flags;
> --
> 1.5.4.22.g7a20
>
>
> --
> Jens Axboe
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo [at] vger
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>


--
Thanks,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


greg at kroah

Feb 8, 2008, 10:09 AM

Post #3 of 4 (7968 views)
Permalink
Re: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10) [In reply to]

On Fri, Feb 08, 2008 at 06:48:54PM +0100, Oliver Pinter wrote:
> greg it's for .22 or the splice is changed between .22 and .23?

splice changed for .23 and this only affects .23 and older kernels, so
.22 and older kernels do not have issues.

thanks,

greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/


oliver.pntr at gmail

Feb 8, 2008, 10:10 AM

Post #4 of 4 (7980 views)
Permalink
Re: [PATCH] splice: missing user pointer access verification (CVE-2008-0009/10) [In reply to]

hmm, when I good see, this is not for .22, and it (vmsplice_to_user)
is came with .23

On 2/8/08, Oliver Pinter <oliver.pntr [at] gmail> wrote:
> greg it's for .22 or the splice is changed between .22 and .23?
>
> On 2/8/08, Greg KH <greg [at] kroah> wrote:
> > From: Jens Axboe <jens.axboe [at] oracle>
> >
> > vmsplice_to_user() must always check the user pointer and length
> > with access_ok() before copying. Likewise, for the slow path of
> > copy_from_user_mmap_sem() we need to check that we may read from
> > the user region.
> >
> > Signed-off-by: Jens Axboe <jens.axboe [at] oracle>
> > Cc: Wojciech Purczynski <cliph [at] research>
> > Signed-off-by: Greg Kroah-Hartman <gregkh [at] suse>
> > ---
> >
> > Linus, this fixes a security hole in splice that is now public. I have
> > it queued up for the .23 and .24 -stable releases as well.
> >
> > fs/splice.c | 8 ++++++++
> > 1 files changed, 8 insertions(+), 0 deletions(-)
> >
> > diff --git a/fs/splice.c b/fs/splice.c
> > index 4ee49e8..14e2262 100644
> > --- a/fs/splice.c
> > +++ b/fs/splice.c
> > @@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const
> > void __user *src, size_t n)
> > {
> > int partial;
> >
> > + if (!access_ok(VERIFY_READ, src, n))
> > + return -EFAULT;
> > +
> > pagefault_disable();
> > partial = __copy_from_user_inatomic(dst, src, n);
> > pagefault_enable();
> > @@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file,
> const
> > struct iovec __user *iov,
> > break;
> > }
> >
> > + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
> > + error = -EFAULT;
> > + break;
> > + }
> > +
> > sd.len = 0;
> > sd.total_len = len;
> > sd.flags = flags;
> > --
> > 1.5.4.22.g7a20
> >
> >
> > --
> > Jens Axboe
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> > the body of a message to majordomo [at] vger
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> > Please read the FAQ at http://www.tux.org/lkml/
> >
>
>
> --
> Thanks,
> Oliver
>


--
Thanks,
Oliver
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo [at] vger
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Linux kernel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.