From 1b7389767f7945f301d57c1150c02b01effacfe4 Mon Sep 17 00:00:00 2001 From: Michael Marineau Date: Fri, 22 Feb 2008 23:39:58 +0000 Subject: Fix CVE-2008-0600 for 2.6.20 svn path=/patches/; revision=70 --- trunk/2.6.20/00000_README | 3 ++ trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch | 37 ++++++++++++++++++++++++ 2 files changed, 40 insertions(+) create mode 100644 trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch diff --git a/trunk/2.6.20/00000_README b/trunk/2.6.20/00000_README index 3807690..7673e98 100644 --- a/trunk/2.6.20/00000_README +++ b/trunk/2.6.20/00000_README @@ -26,6 +26,9 @@ Patches 20xxx-? Various bug-fix patches from Redhat. +26000_linux-2.6-cve-2008-0600.patch + Fix the vmsplice issue CVE 2008-0600 from the 2.6.21 patchset. + 30037_amd64-zero-extend-32bit-ptrace-xen.patch [SECURITY] Zero extend all registers after ptrace in 32-bit entry path (Xen). diff --git a/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch new file mode 100644 index 0000000..b783259 --- /dev/null +++ b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch @@ -0,0 +1,37 @@ +From: Bastian Blank +Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200) +Subject: splice: fix user pointer access in get_iovec_page_array() +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44 + +splice: fix user pointer access in get_iovec_page_array() + +Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user +pointer access verification") added the proper access_ok() calls to +copy_from_user_mmap_sem() which ensures we can copy the struct iovecs +from userspace to the kernel. + +But we also must check whether we can access the actual memory region +pointed to by the struct iovec to fix the access checks properly. + +Signed-off-by: Bastian Blank +Acked-by: Oliver Pinter +Cc: Jens Axboe +Cc: Andrew Morton +Signed-off-by: Pekka Enberg +Signed-off-by: Linus Torvalds +--- + +diff --git a/fs/splice.c b/fs/splice.c +index 14e2262..9b559ee 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov, + if (unlikely(!len)) + break; + error = -EFAULT; +- if (unlikely(!base)) ++ if (!access_ok(VERIFY_READ, base, len)) + break; + + /* + -- cgit v1.2.3-65-gdbad