splice: fix user pointer access in get_iovec_page_array() (CVE-2008-0600)

patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline. Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel. But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly. Signed-off-by: Bastian Blank <waldi@debian.org> Acked-by: Oliver Pinter <oliver.pntr@gmail.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Bastian Blank <bastian@waldi.eu.org> 2008-02-10 16:47:57 +0200
committer: Greg Kroah-Hartman <gregkh@suse.de> 2008-02-10 23:28:08 -0800
commit: af395d8632d0524be27d8774a1607e68bdb4dd7f (patch)
tree: 00423b26500fb278041cf5e1a7952a73a2a51ffd
parent: b176a15fefc84764bf047cf306a3cff3ae53e7c3 (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/splice.c b/fs/splice.c
index e263d3b36145..dbbe267211b1 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1182,6 +1182,9 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!base))
 			break;
 
+		if (!access_ok(VERIFY_READ, base, len))
+			break;
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.
author	Bastian Blank <bastian@waldi.eu.org>	2008-02-10 16:47:57 +0200
committer	Greg Kroah-Hartman <gregkh@suse.de>	2008-02-10 23:28:08 -0800
commit	af395d8632d0524be27d8774a1607e68bdb4dd7f (patch)
tree	00423b26500fb278041cf5e1a7952a73a2a51ffd
parent	b176a15fefc84764bf047cf306a3cff3ae53e7c3 (diff)