Bug#464945: linux-image-2.6.18-6-686: Exploit for vmsplice work for linux-image-2.18-5-686 (CVE-2008-0009/10)
* Bastian Blank:
> diff --git a/fs/splice.c b/fs/splice.c
> index 684bca3..2d7e598 100644
> --- a/fs/splice.c
> +++ b/fs/splice.c
> @@ -1122,6 +1122,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
> size_t len;
> int i;
>
> + if (!access_ok(VERIFY_READ, iov, sizeof(struct iovec))) {
> + error = -EFAULT;
> + break;
> + }
> +
> /*
> * Get user address base and length for this iovec.
> */
For the record, the above hunk is unnecessary because the get_user()
calls which immediately follow the quoted code perform implict
access_ok() checks. CVE-2008-0010 does NOT apply to our 2.6.18 kernel
(but the additional access_ok() call doesn't cause any harm, either).
I'm writing this because some vendors have released pre-2.6.23 patches
without this hunk, and I don't want to create impression they are still
vulnerable.
Reply to: