Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)

To: Okulov Vitaliy <vitaliy.okulov@gmail.com>, 464945@bugs.debian.org
Subject: Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
From: Bastian Blank <waldi@debian.org>
Date: Sun, 10 Feb 2008 13:00:33 +0100
Message-id: <[🔎] 20080210120033.GB18264@wavehammer.waldi.eu.org>
Reply-to: Bastian Blank <waldi@debian.org>, 464945@bugs.debian.org
In-reply-to: <[🔎] 20080210001920.12161.51480.reportbug@doktor>
References: <[🔎] 20080210001920.12161.51480.reportbug@doktor>

tags 464945 patch

On Sun, Feb 10, 2008 at 03:19:20AM +0300, Okulov Vitaliy wrote:
> Just try explot from http://www.milw0rm.com/exploits/5092 at my
> linux-image-2.6.18-5-686 kernel. And it works. Please backport patch
> from 2.6.24.1 kernel (CVE-2008-0009/10).

Preliminary patch, it includes more checks then the update in 2.6.24.1.

It at least fixes the exploit.

Bastian

diff --git a/fs/splice.c b/fs/splice.c
index 684bca3..2d7e598 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1122,6 +1122,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		size_t len;
 		int i;
 
+		if (!access_ok(VERIFY_READ, iov, sizeof(struct iovec))) {
+			error = -EFAULT;
+			break;
+		}
+
 		/*
 		 * Get user address base and length for this iovec.
 		 */
@@ -1141,6 +1146,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!base))
 			break;
 
+		if (!access_ok(VERIFY_READ, base, len)) {
+			error = -EFAULT;
+			break;
+		}
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Processed (with 5 errors): Re: Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Re: Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
  - From: Bastian Blank <waldi@debian.org>
- Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
  - From: "Vitaliy Okulov" <vitaliy.okulov@gmail.com>
- Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
  - From: Okulov Vitaliy <vitaliy.okulov@gmail.com>

Prev by Date: Bug#464962: immediate crash on boot on TM5800
Next by Date: Processed (with 5 errors): Re: Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
Previous by thread: Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
Next by thread: Processed (with 5 errors): Re: Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
Index(es):
- Date
- Thread