From: Martin Schwidefsky Date: Thu, 28 Sep 2006 13:31:52 +0000 (+0200) Subject: S390: user readable uninitialised kernel memory (CVE-2006-5174) X-Git-Tag: v2.6.18.1~58 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fc51b686fa1e97060f8c9d061b74cff2b153c9f7;p=thirdparty%2Fkernel%2Fstable.git S390: user readable uninitialised kernel memory (CVE-2006-5174) [S390] user readable uninitialised kernel memory. A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman --- diff --git a/arch/s390/lib/uaccess.S b/arch/s390/lib/uaccess.S index 837275284d9fa..3f5511dd2bc4c 100644 --- a/arch/s390/lib/uaccess.S +++ b/arch/s390/lib/uaccess.S @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slr %r3,%r5 -6: lr %r2,%r3 + alr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + ahi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%2),0(%2) +7: xc 0(256,%2),0(%2) + la %r2,256(%r2) +8: ahji %r5,-256 + jnm 7b + ex %r5,0(%r2) +9: lr %r2,%r3 br %r14 .section __ex_table,"a" .long 0b,4b diff --git a/arch/s390/lib/uaccess64.S b/arch/s390/lib/uaccess64.S index 1f755be22f927..9376df013e9c0 100644 --- a/arch/s390/lib/uaccess64.S +++ b/arch/s390/lib/uaccess64.S @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slgr %r3,%r5 -6: lgr %r2,%r3 + algr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + aghi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: aghi %r5,-256 + jnm 7b + ex %r5,0(%r2) +9: lgr %r2,%r3 br %r14 .section __ex_table,"a" .quad 0b,4b