[paketler-commits] r41329 - in 2007/kernel-xen: dom0/kernel-dom0/files/CVE domU/kernel-domU/files/CVE

[paketler-commits at pardus.org.tr]

Author: caglar
Date: Sun Feb 10 17:27:55 2008
New Revision: 41329

Modified:
   2007/kernel-xen/dom0/kernel-dom0/files/CVE/CVE-2008-0009.patch
   2007/kernel-xen/domU/kernel-domU/files/CVE/CVE-2008-0009.patch
Log:
merge

Modified: 2007/kernel-xen/dom0/kernel-dom0/files/CVE/CVE-2008-0009.patch
=================================================================
--- 2007/kernel-xen/dom0/kernel-dom0/files/CVE/CVE-2008-0009.patch	(original)
+++ 2007/kernel-xen/dom0/kernel-dom0/files/CVE/CVE-2008-0009.patch	Sun Feb 10 17:27:55 2008
@@ -1,20 +1,20 @@
-    Based on Bastian Blank's patch
+From: Bastian Blank <bastian at waldi.eu.org>
 
-    Fix for CVE_2008_0009 and CVE_2008-0010
+The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added access_ok() to copy_from_user_mmap_sem()
+which only ensures we can copy the struct iovecs from userspace to the kernel
+but we also must check whether we can access the actual memory region pointed
+to by the struct iovec to close the local root exploit.
 
 diff --git a/fs/splice.c b/fs/splice.c
-index 684bca3..b2e8ea1 100644
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -1140,6 +1140,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+index 684bca3..c2c9dce 100644
+@@ -1140,6 +1140,9 @@ static int get_iovec_page_array(const struct iovec __user *iov,
  		error = -EFAULT;
  		if (unlikely(!base))
  			break;
 +		
-+		if (!access_ok(VERIFY_READ, base, len)) {
-+			error = -EFAULT;
++		if (unlikely(!access_ok(VERIFY_READ, base, len)))
 +			break;
-+		}
  
  		/*
  		 * Get this base offset and number of pages, then map

Modified: 2007/kernel-xen/domU/kernel-domU/files/CVE/CVE-2008-0009.patch
=================================================================
--- 2007/kernel-xen/domU/kernel-domU/files/CVE/CVE-2008-0009.patch	(original)
+++ 2007/kernel-xen/domU/kernel-domU/files/CVE/CVE-2008-0009.patch	Sun Feb 10 17:27:55 2008
@@ -1,20 +1,20 @@
-    Based on Bastian Blank's patch
+From: Bastian Blank <bastian at waldi.eu.org>
 
-    Fix for CVE_2008_0009 and CVE_2008-0010
+The commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added access_ok() to copy_from_user_mmap_sem()
+which only ensures we can copy the struct iovecs from userspace to the kernel
+but we also must check whether we can access the actual memory region pointed
+to by the struct iovec to close the local root exploit.
 
 diff --git a/fs/splice.c b/fs/splice.c
-index 684bca3..b2e8ea1 100644
---- a/fs/splice.c
-+++ b/fs/splice.c
-@@ -1140,6 +1140,11 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+index 684bca3..c2c9dce 100644
+@@ -1140,6 +1140,9 @@ static int get_iovec_page_array(const struct iovec __user *iov,
  		error = -EFAULT;
  		if (unlikely(!base))
  			break;
 +		
-+		if (!access_ok(VERIFY_READ, base, len)) {
-+			error = -EFAULT;
++		if (unlikely(!access_ok(VERIFY_READ, base, len)))
 +			break;
-+		}
  
  		/*
  		 * Get this base offset and number of pages, then map