| リビジョン | cbf009d573c9db69f4e9c57558639ddf563cceef (tree) |
|---|---|
| 日時 | 2006-10-09 07:17:34 |
| 作者 | Martin Schwidefsky <schwidefsky@de.i...> |
| コミッター | Willy Tarreau |
[PATCH] copy_from_user information leak on s390.
There is/has been a bug with copy_from_user on s390. The problem is that
it does not pad the kernel buffer with zeroes in case of a fault on the
user address. That allows a malicious user to read uninitialized kernel
memory. The bug is already fixed upstream:
The uaccess code for s390 has changed recently, for older 2.6 versions
you need a different patch, and for 2.4 yet another one.
Description: kernel: user readable uninitialised kernel memory.
Symptom: None.
Problem: A user space program can read uninitialised kernel memory
Solution: Fix the copy_from_user function to clear the remaining bytes
Martin Schwidefsky
Linux for zSeries Development & Services
IBM Deutschland Entwicklung GmbH
arch/s390/lib/uaccess.S (diff) arch/s390x/lib/uaccess.S (diff)| @@ -19,8 +19,8 @@ __copy_from_user_asm: | ||
| 19 | 19 | sacf 512 |
| 20 | 20 | 0: mvcle %r2,%r4,0 |
| 21 | 21 | jo 0b |
| 22 | -1: sacf 0 | |
| 23 | 22 | lr %r2,%r5 |
| 23 | +1: sacf 0 | |
| 24 | 24 | br %r14 |
| 25 | 25 | 2: lhi %r1,-4096 |
| 26 | 26 | lr %r3,%r4 |
| @@ -28,17 +28,23 @@ __copy_from_user_asm: | ||
| 28 | 28 | nr %r3,%r1 # %r3 = (%r4 + 4096) & -4096 |
| 29 | 29 | slr %r3,%r4 # %r3 = #bytes to next user page boundary |
| 30 | 30 | clr %r5,%r3 # copy crosses next page boundary ? |
| 31 | - jnh 1b # no, this page fauled | |
| 31 | + jnh 4b # no, this page fauled | |
| 32 | 32 | # The page after the current user page might have faulted. |
| 33 | - # We cant't find out which page because the program check handler | |
| 33 | + # We can't find out which page because the program check handler | |
| 34 | 34 | # might have callled schedule, destroying all lowcore information. |
| 35 | 35 | # We retry with the shortened length. |
| 36 | 36 | 3: mvcle %r2,%r4,0 |
| 37 | 37 | jo 3b |
| 38 | +4: lr %r1,%r5 # pad remaining bytes with 0 | |
| 39 | + lr %r3,%r5 | |
| 40 | + slr %r5,%r5 | |
| 41 | +5: mvcle %r2,%r4,0 | |
| 42 | + jo 5b | |
| 43 | + lr %r2,%r1 | |
| 38 | 44 | j 1b |
| 39 | 45 | .section __ex_table,"a" |
| 40 | 46 | .long 0b,2b |
| 41 | - .long 3b,1b | |
| 47 | + .long 3b,4b | |
| 42 | 48 | .previous |
| 43 | 49 | |
| 44 | 50 | .align 4 |
| @@ -19,8 +19,8 @@ __copy_from_user_asm: | ||
| 19 | 19 | sacf 512 |
| 20 | 20 | 0: mvcle %r2,%r4,0 |
| 21 | 21 | jo 0b |
| 22 | -1: sacf 0 | |
| 23 | 22 | lgr %r2,%r5 |
| 23 | +1: sacf 0 | |
| 24 | 24 | br %r14 |
| 25 | 25 | 2: lghi %r1,-4096 |
| 26 | 26 | lgr %r3,%r4 |
| @@ -28,17 +28,23 @@ __copy_from_user_asm: | ||
| 28 | 28 | ngr %r3,%r1 # %r3 = (%r4 + 4096) & -4096 |
| 29 | 29 | slgr %r3,%r4 # %r3 = #bytes to next user page boundary |
| 30 | 30 | clgr %r5,%r3 # copy crosses next page boundary ? |
| 31 | - jnh 1b # no, this page fauled | |
| 31 | + jnh 4b # no, this page fauled | |
| 32 | 32 | # The page after the current user page might have faulted. |
| 33 | - # We cant't find out which page because the program check handler | |
| 33 | + # We can't find out which page because the program check handler | |
| 34 | 34 | # might have callled schedule, destroying all lowcore information. |
| 35 | 35 | # We retry with the shortened length. |
| 36 | 36 | 3: mvcle %r2,%r4,0 |
| 37 | 37 | jo 3b |
| 38 | +4: lgr %r1,%r5 # pad remaining bytes with 0 | |
| 39 | + lgr %r3,%r5 | |
| 40 | + slgr %r5,%r5 | |
| 41 | +5: mvcle %r4,%r2,0 | |
| 42 | + jo 5b | |
| 43 | + lgr %r2,%r1 | |
| 38 | 44 | j 1b |
| 39 | 45 | .section __ex_table,"a" |
| 40 | 46 | .quad 0b,2b |
| 41 | - .quad 3b,1b | |
| 47 | + .quad 3b,4b | |
| 42 | 48 | .previous |
| 43 | 49 | |
| 44 | 50 | .align 4 |
Linux Kernel Documents
Fork