CVE-2008-0600: Fix exploitable hole in vmsplice() syscall.

Fix is Al Viro's suggested patch for RHEL5.
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>

diff --git a/fs/splice.c b/fs/splice.c
index 4eed2f6c8eeb812921a3a047d996da6cb77742f7..0153c97df779c68ffb1f6e788655d3023653b65f 100644 (file)
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1141,6 +1141,9 @@ static int get_iovec_page_array(const struct iovec __user *iov,
                if (unlikely(!base))
                        break;
 
+               if (unlikely(!access_ok(VERIFY_READ, base, len)))
+                       break;
+
                /*
                 * Get this base offset and number of pages, then map
                 * in the user pages.