[patch 12/67] S390: user readable uninitialised kernel memory (CVE-2006-5174)

-stable review patch.  If anyone has any objections, please let us know.

------------------
From: Martin Schwidefsky <[email protected]>

[S390] user readable uninitialised kernel memory.

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.

Signed-off-by: Martin Schwidefsky <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>

---
 arch/s390/lib/uaccess.S   |   12 +++++++++++-
 arch/s390/lib/uaccess64.S |   12 +++++++++++-
 2 files changed, 22 insertions(+), 2 deletions(-)

--- linux-2.6.18.orig/arch/s390/lib/uaccess.S
+++ linux-2.6.18/arch/s390/lib/uaccess.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
 	# move with the reduced length which is < 256
 5:	mvcp	0(%r5,%r2),0(%r4),%r0
 	slr	%r3,%r5
-6:	lr	%r2,%r3
+	alr	%r2,%r5
+6:	lgr	%r5,%r3		# copy remaining size
+	ahi	%r5,-1		# subtract 1 for xc loop
+	bras	%r4,8f
+	xc	0(1,%2),0(%2)
+7:	xc	0(256,%2),0(%2)
+	la	%r2,256(%r2)
+8:	ahji	%r5,-256
+	jnm	7b
+	ex	%r5,0(%r2)
+9:	lr	%r2,%r3
 	br	%r14
         .section __ex_table,"a"
 	.long	0b,4b
--- linux-2.6.18.orig/arch/s390/lib/uaccess64.S
+++ linux-2.6.18/arch/s390/lib/uaccess64.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
 	# move with the reduced length which is < 256
 5:	mvcp	0(%r5,%r2),0(%r4),%r0
 	slgr	%r3,%r5
-6:	lgr	%r2,%r3
+	algr	%r2,%r5
+6:	lgr	%r5,%r3		# copy remaining size
+	aghi	%r5,-1		# subtract 1 for xc loop
+	bras	%r4,8f
+	xc	0(1,%r2),0(%r2)
+7:	xc	0(256,%r2),0(%r2)
+	la	%r2,256(%r2)
+8:	aghi	%r5,-256
+	jnm	7b
+	ex	%r5,0(%r2)
+9:	lgr	%r2,%r3
 	br	%r14
         .section __ex_table,"a"
 	.quad	0b,4b

--
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

---

• References:
  • [patch 00/67] 2.6.18-stable review
    • From: Greg KH <[email protected]>

• Prev by Date: [patch 30/67] Fix H8300 exported headers.
• Next by Date: Re: [PATCH] i386 Time: Avoid PIT SMP lockups
• Previous by thread: [patch 30/67] Fix H8300 exported headers.
• Next by thread: [patch 26/67] Fix make headers_check on sh64
• Index(es):
  • Date
  • Thread

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Stuff]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]     [Linux Resources]