From 1b7389767f7945f301d57c1150c02b01effacfe4 Mon Sep 17 00:00:00 2001
From: Michael Marineau <marineam@gentoo.org>
Date: Fri, 22 Feb 2008 23:39:58 +0000
Subject: Fix CVE-2008-0600 for 2.6.20

svn path=/patches/; revision=70
---
 trunk/2.6.20/00000_README                        |  3 ++
 trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch | 37 ++++++++++++++++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch

diff --git a/trunk/2.6.20/00000_README b/trunk/2.6.20/00000_README
index 3807690..7673e98 100644
--- a/trunk/2.6.20/00000_README
+++ b/trunk/2.6.20/00000_README
@@ -26,6 +26,9 @@ Patches
 20xxx-?
     Various bug-fix patches from Redhat.
 
+26000_linux-2.6-cve-2008-0600.patch
+    Fix the vmsplice issue CVE 2008-0600 from the 2.6.21 patchset.
+
 30037_amd64-zero-extend-32bit-ptrace-xen.patch
     [SECURITY] Zero extend all registers after ptrace in 32-bit entry path
     (Xen).
diff --git a/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch
new file mode 100644
index 0000000..b783259
--- /dev/null
+++ b/trunk/2.6.20/26000_linux-2.6-cve-2008-0600.patch
@@ -0,0 +1,37 @@
+From: Bastian Blank <bastian@waldi.eu.org>
+Date: Sun, 10 Feb 2008 14:47:57 +0000 (+0200)
+Subject: splice: fix user pointer access in get_iovec_page_array()
+X-Git-Url: http://git.kernel.org/?p=linux%2Fkernel%2Fgit%2Ftorvalds%2Flinux-2.6.git;a=commitdiff_plain;h=712a30e63c8066ed84385b12edbfb804f49cbc44
+
+splice: fix user pointer access in get_iovec_page_array()
+
+Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user
+pointer access verification") added the proper access_ok() calls to
+copy_from_user_mmap_sem() which ensures we can copy the struct iovecs
+from userspace to the kernel.
+
+But we also must check whether we can access the actual memory region
+pointed to by the struct iovec to fix the access checks properly.
+
+Signed-off-by: Bastian Blank <waldi@debian.org>
+Acked-by: Oliver Pinter <oliver.pntr@gmail.com>
+Cc: Jens Axboe <jens.axboe@oracle.com>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+---
+
+diff --git a/fs/splice.c b/fs/splice.c
+index 14e2262..9b559ee 100644
+--- a/fs/splice.c
++++ b/fs/splice.c
+@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
+ 		if (unlikely(!len))
+ 			break;
+ 		error = -EFAULT;
+-		if (unlikely(!base))
++		if (!access_ok(VERIFY_READ, base, len))
+ 			break;
+ 
+ 		/*
+
-- 
cgit v1.2.3-65-gdbad