[patch 12/67] S390: user readable uninitialised kernel memory (CVE-2006-5174)
From: Greg KH
Date: Wed Oct 11 2006 - 17:28:15 EST
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Martin Schwidefsky <schwidefsky@xxxxxxxxxx>
[S390] user readable uninitialised kernel memory.
A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Signed-off-by: Martin Schwidefsky <schwidefsky@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
arch/s390/lib/uaccess.S | 12 +++++++++++-
arch/s390/lib/uaccess64.S | 12 +++++++++++-
2 files changed, 22 insertions(+), 2 deletions(-)
--- linux-2.6.18.orig/arch/s390/lib/uaccess.S
+++ linux-2.6.18/arch/s390/lib/uaccess.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slr %r3,%r5
-6: lr %r2,%r3
+ alr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ ahi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%2),0(%2)
+7: xc 0(256,%2),0(%2)
+ la %r2,256(%r2)
+8: ahji %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lr %r2,%r3
br %r14
.section __ex_table,"a"
.long 0b,4b
--- linux-2.6.18.orig/arch/s390/lib/uaccess64.S
+++ linux-2.6.18/arch/s390/lib/uaccess64.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slgr %r3,%r5
-6: lgr %r2,%r3
+ algr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ aghi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%r2),0(%r2)
+7: xc 0(256,%r2),0(%r2)
+ la %r2,256(%r2)
+8: aghi %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lgr %r2,%r3
br %r14
.section __ex_table,"a"
.quad 0b,4b
--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/