Linux Kernel Vmsplice() Privilege Escalation Exploit

Exploits a missing verification of parameters within the vmsplice_to_user(), copy_from_user_mmap_sem(), and get_iovec_page_array() functions in fs/splice.c before using them to perform certain memory operations. This can be exploited to e.g. read or write to arbitrary kernel memory via a specially crafted vmsplice() system call, and allows an unprivileged process to elevate privileges to root.
Exploit type: 
Vulnerabilty ID: 
Released Date: 
Sunday, February 10, 2008 - 18:00