On Sun, 10 Feb 2008, Matthew Miller wrote:
On Sun, Feb 10, 2008 at 07:17:27PM -0600, Baird, Josh wrote:
It actually made my 2.6.18-53.1.4.el5 x86 box panic.
Yeah, me too. So that's arguably less severe, but still no good.
A tweak of the exploit will make it work on x86_64 rather than cause kernel panic (https://bugzilla.redhat.com/show_bug.cgi?id=432251#c23).
Proposed patch is already in upstream bug tracker (https://bugzilla.redhat.com/show_bug.cgi?id=432251#c6)
diff -urN linux-2.6.18.x86_64/fs/splice.c linux-2.6.18.x86_64-fix/fs/splice.c --- linux-2.6.18.x86_64/fs/splice.c 2008-02-10 11:08:19.000000000 -0500 +++ linux-2.6.18.x86_64-fix/fs/splice.c 2008-02-10 11:31:06.000000000 -0500 @@ -1154,6 +1154,9 @@ if (unlikely(!base)) break;
+ if (unlikely(!access_ok(VERIFY_READ, base, len))) + break; + /* * Get this base offset and number of pages, then map * in the user pages.