summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMichael Marineau <marineam@gentoo.org>2008-02-22 23:39:58 +0000
committerMichael Marineau <marineam@gentoo.org>2008-02-22 23:39:58 +0000
commit1b7389767f7945f301d57c1150c02b01effacfe4 (patch)
tree397619a3096af503476525e2473e93c0d1230161
parentremove broken 2.6.22 ebuild (diff)
downloadxen-1b7389767f7945f301d57c1150c02b01effacfe4.tar.gz
xen-1b7389767f7945f301d57c1150c02b01effacfe4.tar.bz2
xen-1b7389767f7945f301d57c1150c02b01effacfe4.zip
Fix CVE-2008-0600 for 2.6.20
svn path=/patches/; revision=70
-rw-r--r--trunk/2.6.20/00000_README3
-rw-r--r--trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch37
2 files changed, 40 insertions, 0 deletions
diff --git a/trunk/2.6.20/00000_README b/trunk/2.6.20/00000_README
index 3807690..7673e98 100644
--- a/trunk/2.6.20/00000_README
+++ b/trunk/2.6.20/00000_README
@@ -26,6 +26,9 @@ Patches
20xxx-?
Various bug-fix patches from Redhat.
+26000_linux-2.6-cve-2008-0600.patch
+ Fix the vmsplice issue CVE 2008-0600 from the 2.6.21 patchset.
+
30037_amd64-zero-extend-32bit-ptrace-xen.patch
[SECURITY] Zero extend all registers after ptrace in 32-bit entry path
(Xen).
diff --git a/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch
new file mode 100644
index 0000000..b783259
--- /dev/null
+++ b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch
@@ -0,0 +1,37 @@
+From: Bastian Blank <bastian@waldi.eu.org>
+Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200)
+Subject: splice: fix user pointer access in get_iovec_page_array()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44
+
+splice: fix user pointer access in get_iovec_page_array()
+
+Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added the proper access_ok() calls to
+copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
+from userspace to the kernel.
+
+But we also must check whether we can access the actual memory region
+pointed to by the struct iovec to fix the access checks properly.
+
+Signed-off-by: Bastian Blank <waldi@debian.org>
+Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/splice.c b/fs/splice.c
+index 14e2262..9b559ee 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+ if (unlikely(!len))
+ break;
+ error = -EFAULT;
+- if (unlikely(!base))
++ if (!access_ok(VERIFY_READ, base, len))
+ break;
+
+ /*
+