On Feb 10, 2008 1:38 AM, Niki Denev <ndenev@gmail.com> wrote:
this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.
--- fs/splice.c.orig 2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c 2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
struct pipe_inode_info *pipe;
struct page *pages[PIPE_BUFFERS];
struct partial_page partial[PIPE_BUFFERS];
+ int error;
+ long ret;
+ void __user *base;
+ size_t len;
struct splice_pipe_desc spd = {
.pages = pages,
.partial = partial,
@@ -1450,6 +1454,31 @@
.ops = &user_page_pipe_buf_ops,
};
+ error = ret = 0;
+
+ /*
+ * Get user address base and length for this iovec.
+ */
+ error = get_user(base, &iov->iov_base);
+ if (unlikely(error))
+ return error;
+ error = get_user(len, &iov->iov_len);
+ if (unlikely(error))
+ return error;
+
+ /*
+ * Sanity check this iovec. 0 read succeeds.
+ */
+ if (unlikely(!len))
+ return 0;
+ if (unlikely(!base)) {
+ return -EFAULT;
+ }
+
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ return -EFAULT;
+ }
+
pipe = pipe_info(file->f_path.dentry->d_inode);
if (!pipe)
return -EBADF;
--