Home » Mailing list archives » linux-kernel » 2008 » February » 10

Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Niki Denev
Subject: Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit
Date: Sunday, February 10, 2008 - 2:40 am

On Feb 10, 2008 1:38 AM, Niki Denev <ndenev@gmail.com> wrote:

this fixed the problem for me (kernel 2.6.24.1) :
It appears that the initial patch checked the input to vmsplice_to_user,
but the exploit used vmsplice_to_pipe which remained open to the attack.

--- fs/splice.c.orig	2008-02-08 21:55:30.000000000 +0200
+++ fs/splice.c	2008-02-10 11:32:50.000000000 +0200
@@ -1443,6 +1443,10 @@
 	struct pipe_inode_info *pipe;
 	struct page *pages[PIPE_BUFFERS];
 	struct partial_page partial[PIPE_BUFFERS];
+	int error;
+	long ret;
+	void __user *base;
+	size_t len;
 	struct splice_pipe_desc spd = {
 		.pages = pages,
 		.partial = partial,
@@ -1450,6 +1454,31 @@
 		.ops = &user_page_pipe_buf_ops,
 	};

+	error = ret = 0;
+
+	/*
+	 * Get user address base and length for this iovec.
+	 */
+	error = get_user(base, &iov->iov_base);
+	if (unlikely(error))
+		return error;
+	error = get_user(len, &iov->iov_len);
+	if (unlikely(error))
+		return error;
+
+	/*
+	 * Sanity check this iovec. 0 read succeeds.
+	 */
+	if (unlikely(!len))
+		return 0;
+	if (unlikely(!base)) {
+		return -EFAULT;	
+	}
+
+	if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+		return -EFAULT;
+	}
+
 	pipe = pipe_info(file->f_path.dentry->d_inode);
 	if (!pipe)
 		return -EBADF;
--
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
kernel 2.6.24.1 still vulnerable to the vmsplice local roo ..., Niki Denev, (Sat Feb 9, 11:04 pm)
Re: kernel 2.6.24.1 still vulnerable to the vmsplice local ..., Willy Tarreau, (Sat Feb 9, 11:32 pm)
Re: kernel 2.6.24.1 still vulnerable to the vmsplice local ..., Niki Denev, (Sat Feb 9, 11:38 pm)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Niki Denev, (Sun Feb 10, 2:40 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Oliver Pinter, (Sun Feb 10, 5:04 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Bastian Blank, (Sun Feb 10, 5:22 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Niki Denev, (Sun Feb 10, 5:39 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Bastian Blank, (Sun Feb 10, 5:47 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Niki Denev, (Sun Feb 10, 5:54 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Oliver Pinter, (Sun Feb 10, 6:02 am)
Re: [PATCH] kernel 2.6.24.1 still vulnerable to the vmspli ..., Niki Denev, (Sun Feb 10, 6:48 am)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to t ..., Greg KH, (Sun Feb 10, 10:05 am)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to t ..., Pekka Enberg, (Sun Feb 10, 10:11 am)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to t ..., Oliver Pinter, (Sun Feb 10, 10:44 am)
Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to t ..., Oliver Pinter, (Sun Feb 10, 10:48 am)