diff options
author | Jens Axboe <jens.axboe@oracle.com> | 2008-02-08 08:49:14 -0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2008-02-08 11:46:30 -0800 |
commit | cece280a46c9b5c0adb4d5251f42c082a578e1ad (patch) | |
tree | dc9e74691411f9702b80266e144b75bdd1de0cf7 | |
parent | 1dcde8747cb95109b731894bde1a39634d6089f3 (diff) |
splice: missing user pointer access verification (CVE-2008-0009/10)
patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline.
vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.
Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Cc: Wojciech Purczynski <cliph@research.coseinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | fs/splice.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/fs/splice.c b/fs/splice.c index 6bdcb6107bc..36fdc614c3a 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -1184,6 +1184,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n) { int partial; + if (!access_ok(VERIFY_READ, src, n)) + return -EFAULT; + pagefault_disable(); partial = __copy_from_user_inatomic(dst, src, n); pagefault_enable(); @@ -1392,6 +1395,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov, break; } + if (unlikely(!access_ok(VERIFY_WRITE, base, len))) { + error = -EFAULT; + break; + } + sd.len = 0; sd.total_len = len; sd.flags = flags; |