-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
here are patches "claimed" to fix Linux-2.6.23.14 vmsplice localroot exploit
I just copied them and have not had time to buy beer and chocolate for testing.
There is only a small amount of code to change, so it is better to do manually.
Just need to edit linux-2.6.23.14/fs/splice.c . make a backup.
splice1.patch
diff --git a/fs/splice.c b/fs/splice.c
index 02c39ae..2aa8f5a 100644
- --- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,6 +1234,9 @@ static int copy_from_user_mmap_sem(void *dst, const void
__user *src, size_t n)
{
int partial;
+ if (!access_ok(VERIFY_READ, src, n))
+ return -EFAULT;
+
pagefault_disable();
partial = __copy_from_user_inatomic(dst, src, n);
pagefault_enable();
@@ -1442,6 +1445,11 @@ static long vmsplice_to_user(struct file *file, const
struct iovec __user *iov,
break;
}
+ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+ error = -EFAULT;
+ break;
+ }
+
sd.len = 0;
sd.total_len = len;
sd.flags = flags;
splice_2.patch
diff --git a/fs/splice.c b/fs/splice.c
index 2aa8f5a..1a9c0e6 100644
- --- a/fs/splice.c
+++ b/fs/splice.c
@@ -1289,7 +1289,7 @@ static int get_iovec_page_array(const struct iovec __user
*iov,
if (unlikely(!len))
break;
error = -EFAULT;
- - if (unlikely(!base))
+ if (!access_ok(VERIFY_READ, base, len))
break;
/*
Marty B.
- --
Putting Microsoft in a computer is like putting screen doors in a submarine.
Hopeless.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFHu3l3odd/GHZYnVQRAjt0AKCF5a5lL24vLy2A2mkYQRXO7BnmdACgwHi2
VOglHJAld0vGmSCtriutPWI=
=O4tI
-----END PGP SIGNATURE-----
--
http://linuxfromscratch.org/mailman/listinfo/hlfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
