aboutsummaryrefslogtreecommitdiff
path: root/arch/s390
diff options
context:
space:
mode:
authorMartin Schwidefsky <schwidefsky@de.ibm.com>2006-11-05 08:01:53 +0100
committerAdrian Bunk <bunk@stusta.de>2006-11-05 08:01:53 +0100
commitdfa2e9e76edadc584a0da6966aa081527dad1372 (patch)
treefcea4cdb377bd60e25c792c912a750b7fecceee6 /arch/s390
parent143144b7ecdebce0ac5a5e5bd211555f659a3025 (diff)
[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)
A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address. Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> Signed-off-by: Adrian Bunk <bunk@stusta.de>
Diffstat (limited to 'arch/s390')
-rw-r--r--arch/s390/lib/uaccess.S12
-rw-r--r--arch/s390/lib/uaccess64.S12
2 files changed, 22 insertions, 2 deletions
diff --git a/arch/s390/lib/uaccess.S b/arch/s390/lib/uaccess.S
index 5d59e262504..d4c218c2b65 100644
--- a/arch/s390/lib/uaccess.S
+++ b/arch/s390/lib/uaccess.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slr %r3,%r5
-6: lr %r2,%r3
+ alr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ ahi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%2),0(%2)
+7: xc 0(256,%2),0(%2)
+ la %r2,256(%r2)
+8: ahji %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lr %r2,%r3
br %r14
.section __ex_table,"a"
.long 0b,4b
diff --git a/arch/s390/lib/uaccess64.S b/arch/s390/lib/uaccess64.S
index 19b41a33c23..9811e8a2fc8 100644
--- a/arch/s390/lib/uaccess64.S
+++ b/arch/s390/lib/uaccess64.S
@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slgr %r3,%r5
-6: lgr %r2,%r3
+ algr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ aghi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%r2),0(%r2)
+7: xc 0(256,%r2),0(%r2)
+ la %r2,256(%r2)
+8: aghi %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lgr %r2,%r3
br %r14
.section __ex_table,"a"
.quad 0b,4b