[PATCH] vmsplice exploit fix (was: splice: fix user pointer access in get_iovec_page_array)

[Daniel Phillips]

Kudos to all involved in the rapid response.  But.

Information on patching this vulnerability is not available front and 
center in many of the places you would expect: kernel.org front page, 
debian.org front page, covered on planet.debian.org but without a 
pointer to the patch, and so on.  So this post provides a subject line 
for Google to find, and for good measure mentions the word 
vulnerability.

Also,

   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=464953

I think many users would first go to kernel.org on a day like today, as 
I did.  Nothing to see there.  We could do a way better job of getting 
the word out.

Patch attached as posted above by Pekka.  For the mortals among us:

   cd linux-2.6.recent && patch <fix.vmsplice.exploit.patch -p1

Regards,

Daniel
Cc: <stable@xxxxxxxxxx>
Cc: Jens Axboe <jens.axboe@xxxxxxxxxx>
Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
Signed-off-by: Pekka Enberg <penberg@xxxxxxxxxxxxxx>
---
Bastian, can I have your Signed-off-by for this, please? Oliver, Niki, can 
you please confirm this closes the hole?

 fs/splice.c |    3 +++
 1 file changed, 3 insertions(+)

Index: linux-2.6/fs/splice.c
===================================================================
--- linux-2.6.orig/fs/splice.c
+++ linux-2.6/fs/splice.c
@@ -1237,6 +1237,9 @@ static int get_iovec_page_array(const st
 		if (unlikely(!base))
 			break;
 
+		if (unlikely(!access_ok(VERIFY_READ, base, len)))
+			break;
+
 		/*
 		 * Get this base offset and number of pages, then map
 		 * in the user pages.