[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

rpms/kernel/devel linux-2.6-cve-2008-0600.patch, NONE, 1.1 kernel.spec, 1.411, 1.412

From: Dave Airlie (airlied) <fedora-extras-commits redhat com>
To: fedora-extras-commits redhat com
Subject: rpms/kernel/devel linux-2.6-cve-2008-0600.patch, NONE, 1.1 kernel.spec, 1.411, 1.412
Date: Sun, 10 Feb 2008 16:21:25 -0500

Author: airlied

Update of /cvs/pkgs/rpms/kernel/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv14419

Modified Files:
	kernel.spec 
Added Files:
	linux-2.6-cve-2008-0600.patch 
Log Message:
* Sun Feb 10 2008 Dave Airlie <airlied redhat com>
- CVE-2008-0600 - remote root vulnerability in vmsplice


linux-2.6-cve-2008-0600.patch:

--- NEW FILE linux-2.6-cve-2008-0600.patch ---
From: Bastian Blank <bastian waldi eu org>
Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200)
Subject: splice: fix user pointer access in get_iovec_page_array()
X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44

splice: fix user pointer access in get_iovec_page_array()

Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.

But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.

Signed-off-by: Bastian Blank <waldi debian org>
Acked-by: Oliver Pinter <oliver pntr gmail com>
Cc: Jens Axboe <jens axboe oracle com>
Cc: Andrew Morton <akpm linux-foundation org>
Signed-off-by: Pekka Enberg <penberg cs helsinki fi>
Signed-off-by: Linus Torvalds <torvalds linux-foundation org>
---

diff --git a/fs/splice.c b/fs/splice.c
index 14e2262..9b559ee 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!len))
 			break;
 		error = -EFAULT;
-		if (unlikely(!base))
+		if (!access_ok(VERIFY_READ, base, len))
 			break;
 
 		/*



Index: kernel.spec
===================================================================
RCS file: /cvs/pkgs/rpms/kernel/devel/kernel.spec,v
retrieving revision 1.411
retrieving revision 1.412
diff -u -r1.411 -r1.412
--- kernel.spec	10 Feb 2008 19:34:11 -0000	1.411
+++ kernel.spec	10 Feb 2008 21:20:32 -0000	1.412
@@ -551,6 +551,8 @@
 # stable release candidate
 # Patch03: patch-2.6.24.1-rc1.bz2
 
+Patch05: linux-2.6-cve-2008-0600.patch
+
 # we always need nonintconfig, even for -vanilla kernels
 Patch06: linux-2.6-build-nonintconfig.patch
 
@@ -1002,6 +1004,8 @@
 
 %if !%{nopatches}
 
+ApplyPatch linux-2.6-cve-2008-0600.patch
+
 # Revert -stable pieces we get from elsewhere here
 ApplyPatch linux-2.6-upstream-reverts.patch -R
 
@@ -1798,6 +1802,9 @@
 %kernel_variant_files -a /%{image_install_path}/xen*-%{KVERREL} -e /etc/ld.so.conf.d/kernelcap-%{KVERREL}.conf %{with_xen} xen
 
 %changelog
+* Sun Feb 10 2008 Dave Airlie <airlied redhat com>
+- CVE-2008-0600 - remote root vulnerability in vmsplice
+
 * Sun Feb 10 2008 Jarod Wilson <jwilson redhat com>
 - firewire-core: improve logging of device connections
 - firewire-sbp2: handle device reconnections more smoothly

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]