diff options
-rw-r--r-- | trunk/2.6.20/00000_README | 3 | ||||
-rw-r--r-- | trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch | 37 |
2 files changed, 40 insertions, 0 deletions
diff --git a/trunk/2.6.20/00000_README b/trunk/2.6.20/00000_README index 3807690..7673e98 100644 --- a/trunk/2.6.20/00000_README +++ b/trunk/2.6.20/00000_README @@ -26,6 +26,9 @@ Patches 20xxx-? Various bug-fix patches from Redhat. +26000_linux-2.6-cve-2008-0600.patch + Fix the vmsplice issue CVE 2008-0600 from the 2.6.21 patchset. + 30037_amd64-zero-extend-32bit-ptrace-xen.patch [SECURITY] Zero extend all registers after ptrace in 32-bit entry path (Xen). diff --git a/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch new file mode 100644 index 0000000..b783259 --- /dev/null +++ b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch @@ -0,0 +1,37 @@ +From: Bastian Blank <bastian@waldi.eu.org> +Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200) +Subject: splice: fix user pointer access in get_iovec_page_array() +X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44 + +splice: fix user pointer access in get_iovec_page_array() + +Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user +pointer access verification") added the proper access_ok() calls to +copy_from_user_mmap_sem() which ensures we can copy the struct iovecs +from userspace to the kernel. + +But we also must check whether we can access the actual memory region +pointed to by the struct iovec to fix the access checks properly. + +Signed-off-by: Bastian Blank <waldi@debian.org> +Acked-by: Oliver Pinter <oliver.pntr@gmail.com> +Cc: Jens Axboe <jens.axboe@oracle.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +--- + +diff --git a/fs/splice.c b/fs/splice.c +index 14e2262..9b559ee 100644 +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov, + if (unlikely(!len)) + break; + error = -EFAULT; +- if (unlikely(!base)) ++ if (!access_ok(VERIFY_READ, base, len)) + break; + + /* + |