Fixed security issue, bug 209460. Straight to stable.

Package-Manager: portage-2.1.3.19
RepoMan-Options: --force

1 files changed, 25 insertions, 0 deletions

diff --git a/sys-kernel/openvz-sources/files/openvz-sources-2.6.18-ms-splice-access.patch b/sys-kernel/openvz-sources/files/openvz-sources-2.6.18-ms-splice-access.patch
new file mode 100644
index 000000000000..d323f0cc28cf
--- /dev/null
+++ b/sys-kernel/openvz-sources/files/openvz-sources-2.6.18-ms-splice-access.patch
@@ -0,0 +1,25 @@
+https://bugs.gentoo.org/show_bug.cgi?id=209460
+http://bugzilla.openvz.org/show_bug.cgi?id=814
+
+--- ./fs/splice.c.pipe	2008-01-28 18:56:37.000000000 +0300
++++ ./fs/splice.c	2008-02-11 14:00:53.000000000 +0300
+@@ -1138,6 +1138,10 @@ static int get_iovec_page_array(const st
+ 		/*
+ 		 * Get user address base and length for this iovec.
+ 		 */
++		error = -EFAULT;
++        	if (!access_ok(VERIFY_READ, iov, sizeof(*iov)))
++			break;
++
+ 		error = get_user(base, &iov->iov_base);
+ 		if (unlikely(error))
+ 			break;
+@@ -1151,7 +1155,7 @@ static int get_iovec_page_array(const st
+ 		if (unlikely(!len))
+ 			break;
+ 		error = -EFAULT;
+-		if (unlikely(!base))
++		if (!access_ok(VERIFY_READ, base, len))
+ 			break;
+ 
+ 		/*