Linux pancs 2.6.22.17-opt2-cve2 #1 SMP Sun Feb 10 16:22:37 CET 2008 i686 GNU/Linux ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] mmap: 0x0 .. 0x1000 [+] page: 0x0 [+] page: 0x20 [+] mmap: 0x4000 .. 0x5000 [+] page: 0x4000 [+] page: 0x4020 [+] mmap: 0x1000 .. 0x2000 [+] page: 0x1000 [+] mmap: 0xb7f95000 .. 0xb7fc7000 [-] vmsplice: Bad address ----------------------------------- Linux vmsplice Local Root Exploit By qaaz ----------------------------------- [+] addr: 0xc01112e9 [-] wtf
the patch is good for 2.6.22.y On 2/11/08, Willy Tarreau <[EMAIL PROTECTED]> wrote: > On Sun, Feb 10, 2008 at 04:47:57PM +0200, Pekka J Enberg wrote: > > From: Bastian Blank <[EMAIL PROTECTED]> > > > > The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user > > pointer access verification") added access_ok() to > copy_from_user_mmap_sem() > > which only ensures we can copy the struct iovecs from userspace to the > kernel > > but we also must check whether we can access the actual memory region > pointed > > to by the struct iovec to close the local root exploit. > > > > Cc: <[EMAIL PROTECTED]> > > Cc: Jens Axboe <[EMAIL PROTECTED]> > > Cc: Andrew Morton <[EMAIL PROTECTED]> > > Signed-off-by: Pekka Enberg <[EMAIL PROTECTED]> > > --- > > Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can > > you please confirm this closes the hole? > > Pekka, I confirm that it also closes the hole once backported to 2.6.22. > > Willy > > -- Thanks, Oliver -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/