summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBastian Blank <bastian@waldi.eu.org>2008-02-10 16:47:57 +0200
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2008-02-10 10:27:21 -0800
commit712a30e63c8066ed84385b12edbfb804f49cbc44 (patch)
tree0562431cf00ccb740547b13a41d79f6319254ca0
parent25f666300625d894ebe04bac2b4b3aadb907c861 (diff)
downloadlwn-712a30e63c8066ed84385b12edbfb804f49cbc44.tar.gz
lwn-712a30e63c8066ed84385b12edbfb804f49cbc44.zip
splice: fix user pointer access in get_iovec_page_array()
Commit 8811930dc74a503415b35c4a79d14fb0b408a361 ("splice: missing user pointer access verification") added the proper access_ok() calls to copy_from_user_mmap_sem() which ensures we can copy the struct iovecs from userspace to the kernel. But we also must check whether we can access the actual memory region pointed to by the struct iovec to fix the access checks properly. Signed-off-by: Bastian Blank <waldi@debian.org> Acked-by: Oliver Pinter <oliver.pntr@gmail.com> Cc: Jens Axboe <jens.axboe@oracle.com> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Pekka Enberg <penberg@cs.helsinki.fi> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r--fs/splice.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/splice.c b/fs/splice.c
index 14e2262c0a04..9b559ee711a8 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1234,7 +1234,7 @@ static int get_iovec_page_array(const struct iovec __user *iov,
if (unlikely(!len))
break;
error = -EFAULT;
- if (unlikely(!base))
+ if (!access_ok(VERIFY_READ, base, len))
break;
/*