• R/O
  • HTTP
  • SSH
  • HTTPS

linux-2.4.36: コミット

2.4.36-stable kernel tree


コミットメタ情報

リビジョンcbf009d573c9db69f4e9c57558639ddf563cceef (tree)
日時2006-10-09 07:17:34
作者Martin Schwidefsky <schwidefsky@de.i...>
コミッターWilly Tarreau

ログメッセージ

[PATCH] copy_from_user information leak on s390.

There is/has been a bug with copy_from_user on s390. The problem is that
it does not pad the kernel buffer with zeroes in case of a fault on the
user address. That allows a malicious user to read uninitialized kernel
memory. The bug is already fixed upstream:

http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=52149ba6b0ddf3e9d965257cc0513193650b3ea8

The uaccess code for s390 has changed recently, for older 2.6 versions
you need a different patch, and for 2.4 yet another one.

Description: kernel: user readable uninitialised kernel memory.
Symptom: None.
Problem: A user space program can read uninitialised kernel memory

by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.

Solution: Fix the copy_from_user function to clear the remaining bytes

of the kernel buffer after a user space fault.

Martin Schwidefsky
Linux for zSeries Development & Services
IBM Deutschland Entwicklung GmbH

変更サマリ

差分

--- a/arch/s390/lib/uaccess.S
+++ b/arch/s390/lib/uaccess.S
@@ -19,8 +19,8 @@ __copy_from_user_asm:
1919 sacf 512
2020 0: mvcle %r2,%r4,0
2121 jo 0b
22-1: sacf 0
2322 lr %r2,%r5
23+1: sacf 0
2424 br %r14
2525 2: lhi %r1,-4096
2626 lr %r3,%r4
@@ -28,17 +28,23 @@ __copy_from_user_asm:
2828 nr %r3,%r1 # %r3 = (%r4 + 4096) & -4096
2929 slr %r3,%r4 # %r3 = #bytes to next user page boundary
3030 clr %r5,%r3 # copy crosses next page boundary ?
31- jnh 1b # no, this page fauled
31+ jnh 4b # no, this page fauled
3232 # The page after the current user page might have faulted.
33- # We cant't find out which page because the program check handler
33+ # We can't find out which page because the program check handler
3434 # might have callled schedule, destroying all lowcore information.
3535 # We retry with the shortened length.
3636 3: mvcle %r2,%r4,0
3737 jo 3b
38+4: lr %r1,%r5 # pad remaining bytes with 0
39+ lr %r3,%r5
40+ slr %r5,%r5
41+5: mvcle %r2,%r4,0
42+ jo 5b
43+ lr %r2,%r1
3844 j 1b
3945 .section __ex_table,"a"
4046 .long 0b,2b
41- .long 3b,1b
47+ .long 3b,4b
4248 .previous
4349
4450 .align 4
--- a/arch/s390x/lib/uaccess.S
+++ b/arch/s390x/lib/uaccess.S
@@ -19,8 +19,8 @@ __copy_from_user_asm:
1919 sacf 512
2020 0: mvcle %r2,%r4,0
2121 jo 0b
22-1: sacf 0
2322 lgr %r2,%r5
23+1: sacf 0
2424 br %r14
2525 2: lghi %r1,-4096
2626 lgr %r3,%r4
@@ -28,17 +28,23 @@ __copy_from_user_asm:
2828 ngr %r3,%r1 # %r3 = (%r4 + 4096) & -4096
2929 slgr %r3,%r4 # %r3 = #bytes to next user page boundary
3030 clgr %r5,%r3 # copy crosses next page boundary ?
31- jnh 1b # no, this page fauled
31+ jnh 4b # no, this page fauled
3232 # The page after the current user page might have faulted.
33- # We cant't find out which page because the program check handler
33+ # We can't find out which page because the program check handler
3434 # might have callled schedule, destroying all lowcore information.
3535 # We retry with the shortened length.
3636 3: mvcle %r2,%r4,0
3737 jo 3b
38+4: lgr %r1,%r5 # pad remaining bytes with 0
39+ lgr %r3,%r5
40+ slgr %r5,%r5
41+5: mvcle %r4,%r2,0
42+ jo 5b
43+ lgr %r2,%r1
3844 j 1b
3945 .section __ex_table,"a"
4046 .quad 0b,2b
41- .quad 3b,1b
47+ .quad 3b,4b
4248 .previous
4349
4450 .align 4
旧リポジトリブラウザで表示