atl1-fix-frame-length-bug.patch
acpi-sync-blacklist-w-latest.patch
pci-fix-fakephp-deadlock.patch
+splice-missing-user-pointer-access-verification.patch
--- /dev/null
+From 8811930dc74a503415b35c4a79d14fb0b408a361 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jens.axboe@oracle.com>
+Date: Fri, 8 Feb 2008 08:49:14 -0800
+Subject: splice: missing user pointer access verification (CVE-2008-0009/10)
+
+From: Jens Axboe <jens.axboe@oracle.com>
+
+patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline.
+
+vmsplice_to_user() must always check the user pointer and length
+with access_ok() before copying. Likewise, for the slow path of
+copy_from_user_mmap_sem() we need to check that we may read from
+the user region.
+
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Cc: Wojciech Purczynski <cliph@research.coseinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ fs/splice.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1234,6 +1234,9 @@ static int copy_from_user_mmap_sem(void
+ {
+ int partial;
+
++ if (!access_ok(VERIFY_READ, src, n))
++ return -EFAULT;
++
+ pagefault_disable();
+ partial = __copy_from_user_inatomic(dst, src, n);
+ pagefault_enable();
+@@ -1442,6 +1445,11 @@ static long vmsplice_to_user(struct file
+ break;
+ }
+
++ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
++ error = -EFAULT;
++ break;
++ }
++
+ sd.len = 0;
+ sd.total_len = len;
+ sd.flags = flags;
fix-writev-regression-pan-hanging-unkillable-and-un-straceable.patch
driver-core-revert-fix-firmware-class-name-collision.patch
drm-the-drm-really-should-call-pci_set_master.patch
+splice-missing-user-pointer-access-verification.patch
--- /dev/null
+From 8811930dc74a503415b35c4a79d14fb0b408a361 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <jens.axboe@oracle.com>
+Date: Fri, 8 Feb 2008 08:49:14 -0800
+Subject: splice: missing user pointer access verification (CVE-2008-0009/10)
+
+From: Jens Axboe <jens.axboe@oracle.com>
+
+patch 8811930dc74a503415b35c4a79d14fb0b408a361 in mainline.
+
+vmsplice_to_user() must always check the user pointer and length
+with access_ok() before copying. Likewise, for the slow path of
+copy_from_user_mmap_sem() we need to check that we may read from
+the user region.
+
+Signed-off-by: Jens Axboe <jens.axboe@oracle.com>
+Cc: Wojciech Purczynski <cliph@research.coseinc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ fs/splice.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1184,6 +1184,9 @@ static int copy_from_user_mmap_sem(void
+ {
+ int partial;
+
++ if (!access_ok(VERIFY_READ, src, n))
++ return -EFAULT;
++
+ pagefault_disable();
+ partial = __copy_from_user_inatomic(dst, src, n);
+ pagefault_enable();
+@@ -1392,6 +1395,11 @@ static long vmsplice_to_user(struct file
+ break;
+ }
+
++ if (unlikely(!access_ok(VERIFY_WRITE, base, len))) {
++ error = -EFAULT;
++ break;
++ }
++
+ sd.len = 0;
+ sd.total_len = len;
+ sd.flags = flags;
projects / thirdparty / kernel / stable-queue.git / commitdiff
