On Sun, Feb 10, 2008 at 02:02:27PM +0100, Oliver Pinter wrote: > thx it fixed for 2.6.22 > > >>>>>>> > > commit f6e993b835393543bab2d917f9dea75218473edd > Author: Oliver Pinter <[EMAIL PROTECTED]> > Date: Sun Feb 10 14:03:46 2008 +0100 > > [PATCH] vm: splice local root exploit fix for 2.6.22.y > > Based on Bastian Blank's patch > > Fix for CVE_2008_0009 and CVE_2008-0010 > > ----->8----- > > [EMAIL PROTECTED]:/tmp$ ./2617_26241_root_exploit > ----------------------------------- > Linux vmsplice Local Root Exploit > By qaaz > ----------------------------------- > [+] mmap: 0x0 .. 0x1000 > [+] page: 0x0 > [+] page: 0x20 > [+] mmap: 0x4000 .. 0x5000 > [+] page: 0x4000 > [+] page: 0x4020 > [+] mmap: 0x1000 .. 0x2000 > [+] page: 0x1000 > [+] mmap: 0xb7f1a000 .. 0xb7f4c000 > [-] vmsplice: Bad address > > -----8<----- > > Signed-off-by: Oliver Pinter <[EMAIL PROTECTED]> > > diff --git a/fs/splice.c b/fs/splice.c > index e263d3b..d8b106e 100644 > --- a/fs/splice.c > +++ b/fs/splice.c > @@ -1182,6 +1182,12 @@ static int get_iovec_page_array(const struct > iovec __user *iov, > if (unlikely(!base)) > break; > > + /* CVE-2008-0009, CVE-2008-0010 fix */
No, this is a different CVE, as it is a different problem from the original 09 and 10 report. It has been given CVE-2008-0600 to address this issue (09 and 10 only affect .23 and .24 kernels, and have been fixed.) > + if(!access_ok(VERIFY_READ, base, len)) { > + error = -EFAULT; > + break; > + } Hm, perhaps we should just properly check the len field instead? That's what is being overflowed here... thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/