Commit dfa2e9e7 authored by Martin Schwidefsky's avatar Martin Schwidefsky Committed by Adrian Bunk

[S390] fix user readable uninitialised kernel memory (CVE-2006-5174)

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: default avatarAdrian Bunk <bunk@stusta.de>
parent 143144b7
...@@ -40,7 +40,17 @@ __copy_from_user_asm: ...@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256 # move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0 5: mvcp 0(%r5,%r2),0(%r4),%r0
slr %r3,%r5 slr %r3,%r5
6: lr %r2,%r3 alr %r2,%r5
6: lgr %r5,%r3 # copy remaining size
ahi %r5,-1 # subtract 1 for xc loop
bras %r4,8f
xc 0(1,%2),0(%2)
7: xc 0(256,%2),0(%2)
la %r2,256(%r2)
8: ahji %r5,-256
jnm 7b
ex %r5,0(%r2)
9: lr %r2,%r3
br %r14 br %r14
.section __ex_table,"a" .section __ex_table,"a"
.long 0b,4b .long 0b,4b
......
...@@ -40,7 +40,17 @@ __copy_from_user_asm: ...@@ -40,7 +40,17 @@ __copy_from_user_asm:
# move with the reduced length which is < 256 # move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0 5: mvcp 0(%r5,%r2),0(%r4),%r0
slgr %r3,%r5 slgr %r3,%r5
6: lgr %r2,%r3 algr %r2,%r5
6: lgr %r5,%r3 # copy remaining size
aghi %r5,-1 # subtract 1 for xc loop
bras %r4,8f
xc 0(1,%r2),0(%r2)
7: xc 0(256,%r2),0(%r2)
la %r2,256(%r2)
8: aghi %r5,-256
jnm 7b
ex %r5,0(%r2)
9: lgr %r2,%r3
br %r14 br %r14
.section __ex_table,"a" .section __ex_table,"a"
.quad 0b,4b .quad 0b,4b
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment