vmsplice localroot exploit

marty goodoldmarty at gmail.com
Tue Feb 19 16:51:03 PST 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

here are patches "claimed" to fix Linux-2.6.23.14 vmsplice localroot exploit
I just copied them and have not had time to buy beer and chocolate for testing.
There is only a small amount of code to change, so it is better to do manually.
Just need to edit linux-2.6.23.14/fs/splice.c . make a backup.

splice1.patch


diff --git a/fs/splice.c b/fs/splice.c
index 02c39ae..2aa8f5a 100644
- --- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,6 +1234,9 @@ static int copy_from_user_mmap_sem(void *dst, const void
__user *src, size_t n)
 {
 	int partial;

+	if (!access_ok(VERIFY_READ, src, n))
+		return -EFAULT;
+
 	pagefault_disable();
 	partial = __copy_from_user_inatomic(dst, src, n);
 	pagefault_enable();
@@ -1442,6 +1445,11 @@ static long vmsplice_to_user(struct file *file, const
struct iovec __user *iov,
 			break;
 		}

+		if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+			error = -EFAULT;
+			break;
+		}
+
 		sd.len = 0;
 		sd.total_len = len;
 		sd.flags = flags;



splice_2.patch


diff --git a/fs/splice.c b/fs/splice.c
index 2aa8f5a..1a9c0e6 100644
- --- a/fs/splice.c
+++ b/fs/splice.c
@@ -1289,7 +1289,7 @@ static int get_iovec_page_array(const struct iovec __user
*iov,
 		if (unlikely(!len))
 			break;
 		error = -EFAULT;
- -		if (unlikely(!base))
+		if (!access_ok(VERIFY_READ, base, len))
 			break;

 		/*



Marty B.

- --
Putting Microsoft in a computer is like putting screen doors in a submarine.
Hopeless.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFHu3l3odd/GHZYnVQRAjt0AKCF5a5lL24vLy2A2mkYQRXO7BnmdACgwHi2
VOglHJAld0vGmSCtriutPWI=
=O4tI
-----END PGP SIGNATURE-----



More information about the hlfs-dev mailing list