Re: [stable] [PATCH] kernel 2.6.24.1 still vulnerable to the vmsplice local root exploit

[Pekka Enberg]

On Feb 10, 2008 7:05 PM, Greg KH <greg@xxxxxxxxx> wrote:
> No, this is a different CVE, as it is a different problem from the
> original 09 and 10 report.
>
> It has been given CVE-2008-0600 to address this issue (09 and 10 only
> affect .23 and .24 kernels, and have been fixed.)
>
> > +             if(!access_ok(VERIFY_READ, base, len)) {
> > +                     error = -EFAULT;
> > +                     break;
> > +             }
>
> Hm, perhaps we should just properly check the len field instead?  That's
> what is being overflowed here...

Sorry, I forgot to cc you on this one:

http://lkml.org/lkml/2008/2/10/153

I don't see where the current code is checking that base is
accessible. We just check that we can copy the struct iovecs, right?

                        Pekka
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/