splice: fix user pointer access in get_iovec_page_array()

Commit 8811930d ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel. But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly. Signed-off-by: N Bastian Blank <waldi@debian.org> Acked-by: N Oliver Pinter <oliver.pntr@gmail.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>

splice: fix user pointer access in get_iovec_page_array()
Commit 8811930d ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel. But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly. Signed-off-by: N Bastian Blank <waldi@debian.org> Acked-by: N Oliver Pinter <oliver.pntr@gmail.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: N Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: N Linus Torvalds <torvalds@linux-foundation.org>
712a30e6 · Bastian Blank · Linus Torvalds · 25f66630 · 712a30e6
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

fs/splice.c fs/splice.c +1 -1

未找到文件。
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
 		if (unlikely(!len))
 			break;
 		error = -EFAULT;
-		if (unlikely(!base))
+		if (!access_ok(VERIFY_READ, base, len))
 			break;

 		/*