]> err.no Git - linux-2.6/commitdiff
splice: missing user pointer access verification
authorJens Axboe <jens.axboe@oracle.com>
Fri, 8 Feb 2008 16:49:14 +0000 (08:49 -0800)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Fri, 8 Feb 2008 17:25:01 +0000 (09:25 -0800)
vmsplice_to_user() must always check the user pointer and length
with access_ok() before copying. Likewise, for the slow path of
copy_from_user_mmap_sem() we need to check that we may read from
the user region.

Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
Cc: Wojciech Purczynski <cliph@research.coseinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/splice.c

index 4ee49e86edde5a2272781b6e49e0371b721ceb33..14e2262c0a046641ece8086c7f7329a8a114ebda 100644 (file)
@@ -1179,6 +1179,9 @@ static int copy_from_user_mmap_sem(void *dst, const void __user *src, size_t n)
 {
        int partial;
 
+       if (!access_ok(VERIFY_READ, src, n))
+               return -EFAULT;
+
        pagefault_disable();
        partial = __copy_from_user_inatomic(dst, src, n);
        pagefault_enable();
@@ -1387,6 +1390,11 @@ static long vmsplice_to_user(struct file *file, const struct iovec __user *iov,
                        break;
                }
 
+               if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
+                       error = -EFAULT;
+                       break;
+               }
+
                sd.len = 0;
                sd.total_len = len;
                sd.flags = flags;