summaryrefslogtreecommitdiff
path: root/arch
diff options
context:
space:
mode:
authorMartin Schwidefsky <schwidefsky@de.ibm.com>2006-09-28 15:31:52 +0200
committerGreg Kroah-Hartman <gregkh@suse.de>2006-10-13 13:23:21 -0700
commitfc51b686fa1e97060f8c9d061b74cff2b153c9f7 (patch)
tree4cc6fed6c910c41aabf71ac17c9edf29c6c54942 /arch
parent728ffb9f87916f1da296fad0e80874d88da5512e (diff)
S390: user readable uninitialised kernel memory (CVE-2006-5174)
[S390] user readable uninitialised kernel memory. A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'arch')
-rw-r--r--arch/s390/lib/uaccess.S12
-rw-r--r--arch/s390/lib/uaccess64.S12
2 files changed, 22 insertions, 2 deletions
diff --git a/arch/s390/lib/uaccess.S b/arch/s390/lib/uaccess.S
index 837275284d9f..3f5511dd2bc4 100644
--- a/arch/s390/lib/uaccess.S
+++ b/arch/s390/lib/uaccess.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slr %r3,%r5
-6: lr %r2,%r3
+ alr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ ahi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%2),0(%2)
+7: xc 0(256,%2),0(%2)
+ la %r2,256(%r2)
+8: ahji %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lr %r2,%r3
br %r14
.section __ex_table,"a"
.long 0b,4b
diff --git a/arch/s390/lib/uaccess64.S b/arch/s390/lib/uaccess64.S
index 1f755be22f92..9376df013e9c 100644
--- a/arch/s390/lib/uaccess64.S
+++ b/arch/s390/lib/uaccess64.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slgr %r3,%r5
-6: lgr %r2,%r3
+ algr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ aghi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%r2),0(%r2)
+7: xc 0(256,%r2),0(%r2)
+ la %r2,256(%r2)
+8: aghi %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lgr %r2,%r3
br %r14
.section __ex_table,"a"
.quad 0b,4b