splice: fix user pointer access in get_iovec_page_array()
authorBastian Blank <bastian@waldi.eu.org>
Sun, 10 Feb 2008 14:47:57 +0000 (16:47 +0200)
committerLinus Torvalds <torvalds@woody.linux-foundation.org>
Sun, 10 Feb 2008 18:27:21 +0000 (10:27 -0800)
Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
pointer access verification") added the proper access_ok() calls to
copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
from userspace to the kernel.

But we also must check whether we can access the actual memory region
pointed to by the struct iovec to fix the access checks properly.

Signed-off-by: Bastian Blank <waldi@debian.org>
Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
Cc: Jens Axboe <jens.axboe@oracle.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
fs/splice.c

index 14e2262c0a046641ece8086c7f7329a8a114ebda..9b559ee711a8e59f8e12fb0029b4d5a0356b7df4 100644 (file)
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
                if (unlikely(!len))
                        break;
                error = -EFAULT;
-               if (unlikely(!base))
+               if (!access_ok(VERIFY_READ, base, len))
                        break;
 
                /*