From: Greg Kroah-Hartman <gregkh@suse.de>
Date: Mon, 11 Feb 2008 05:54:33 +0000 (-0800)
Subject: 2.6.24.2
X-Git-Tag: v2.6.22.19~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=57805d470e53bf00d73a603a944b5b9816101193;p=thirdparty%2Fkernel%2Fstable-queue.git

2.6.24.2
---

diff --git a/releases/2.6.24.2/splice-fix-user-pointer-access-in-get_iovec_page_array.patch b/releases/2.6.24.2/splice-fix-user-pointer-access-in-get_iovec_page_array.patch
new file mode 100644
index 00000000000..3be32c2ef2b
--- /dev/null
+++ b/releases/2.6.24.2/splice-fix-user-pointer-access-in-get_iovec_page_array.patch
@@ -0,0 +1,38 @@
+From 712a30e63c8066ed84385b12edbfb804f49cbc44 Mon Sep 17 00:00:00 2001
+From: Bastian Blank <bastian@waldi.eu.org>
+Date: Sun, 10 Feb 2008 16:47:57 +0200
+Subject: [PATCH] splice: fix user pointer access in get_iovec_page_array()
+
+patch 712a30e63c8066ed84385b12edbfb804f49cbc44 in mainline.
+
+Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added the proper access_ok() calls to
+copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
+from userspace to the kernel.
+
+But we also must check whether we can access the actual memory region
+pointed to by the struct iovec to fix the access checks properly.
+
+Signed-off-by: Bastian Blank <waldi@debian.org>
+Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/splice.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1239,7 +1239,7 @@ static int get_iovec_page_array(const st
+ 		if (unlikely(!len))
+ 			break;
+ 		error = -EFAULT;
+-		if (unlikely(!base))
++		if (!access_ok(VERIFY_READ, base, len))
+ 			break;
+ 
+ 		/*