diff options
author | Martin Schwidefsky <schwidefsky@de.ibm.com> | 2006-09-28 15:31:52 +0200 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2006-10-13 13:23:21 -0700 |
commit | fc51b686fa1e97060f8c9d061b74cff2b153c9f7 (patch) | |
tree | 4cc6fed6c910c41aabf71ac17c9edf29c6c54942 /arch | |
parent | 728ffb9f87916f1da296fad0e80874d88da5512e (diff) |
S390: user readable uninitialised kernel memory (CVE-2006-5174)
[S390] user readable uninitialised kernel memory.
A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'arch')
-rw-r--r-- | arch/s390/lib/uaccess.S | 12 | ||||
-rw-r--r-- | arch/s390/lib/uaccess64.S | 12 |
2 files changed, 22 insertions, 2 deletions
diff --git a/arch/s390/lib/uaccess.S b/arch/s390/lib/uaccess.S index 837275284d9f..3f5511dd2bc4 100644 --- a/arch/s390/lib/uaccess.S +++ b/arch/s390/lib/uaccess.S @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slr %r3,%r5 -6: lr %r2,%r3 + alr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + ahi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%2),0(%2) +7: xc 0(256,%2),0(%2) + la %r2,256(%r2) +8: ahji %r5,-256 + jnm 7b + ex %r5,0(%r2) +9: lr %r2,%r3 br %r14 .section __ex_table,"a" .long 0b,4b diff --git a/arch/s390/lib/uaccess64.S b/arch/s390/lib/uaccess64.S index 1f755be22f92..9376df013e9c 100644 --- a/arch/s390/lib/uaccess64.S +++ b/arch/s390/lib/uaccess64.S @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slgr %r3,%r5 -6: lgr %r2,%r3 + algr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + aghi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: aghi %r5,-256 + jnm 7b + ex %r5,0(%r2) +9: lgr %r2,%r3 br %r14 .section __ex_table,"a" .quad 0b,4b |