2.6.24.2

diff --git a/releases/2.6.24.2/splice-fix-user-pointer-access-in-get_iovec_page_array.patch b/releases/2.6.24.2/splice-fix-user-pointer-access-in-get_iovec_page_array.patch
new file mode 100644 (file)
index 0000000..3be32c2
--- /dev/null
+++ b/releases/2.6.24.2/splice-fix-user-pointer-access-in-get_iovec_page_array.patch
@@ -0,0 +1,38 @@
+From 712a30e63c8066ed84385b12edbfb804f49cbc44 Mon Sep 17 00:00:00 2001
+From: Bastian Blank <bastian@waldi.eu.org>
+Date: Sun, 10 Feb 2008 16:47:57 +0200
+Subject: [PATCH] splice: fix user pointer access in get_iovec_page_array()
+
+patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline.
+
+Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added the proper access_ok() calls to
+copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
+from userspace to the kernel.
+
+But we also must check whether we can access the actual memory region
+pointed to by the struct iovec to fix the access checks properly.
+
+Signed-off-by: Bastian Blank <waldi@debian.org>
+Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/splice.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1239,7 +1239,7 @@ static int get_iovec_page_array(const st
+               if (unlikely(!len))
+                       break;
+               error = -EFAULT;
+-              if (unlikely(!base))
++              if (!access_ok(VERIFY_READ, base, len))
+                       break;
+ 
+               /*