Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:steve-beattie
kernel
linux-2.6-s390-information-leak.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File linux-2.6-s390-information-leak.patch of Package kernel
Date: Tue, 31 Oct 2006 11:47:30 +0100 From: Jan Glauber <jglauber@redhat.com> Subject: [RHEL5 PATCH] CVE-2006-5174: information leak on s390 The same security issue we fixed in RHEL3 & 4 is also in RHEL5. Fix is upstream, tested by me. Jan -- jglauber@redhat.com jang@de.ibm.com Description: kernel: user readable uninitialised kernel memory. Problem: A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address. Solution: Fix the copy_from_user function to clear the remaining bytes of the kernel buffer after a user space fault. --- linux-2.5/arch/s390/lib/uaccess64.S 30 Aug 2006 13:34:10 -0000 1.7.2.1 +++ linux-2.5/arch/s390/lib/uaccess64.S 13 Oct 2006 17:24:10 -0000 1.7.2.2 @@ -40,7 +40,17 @@ # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slgr %r3,%r5 -6: lgr %r2,%r3 + algr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + aghi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: aghi %r5,-256 + jnm 7b + ex %r5,0(%r4) +9: lgr %r2,%r3 br %r14 .section __ex_table,"a" .quad 0b,4b --- linux-2.5/arch/s390/lib/uaccess.S 30 Aug 2006 13:34:10 -0000 1.9.2.1 +++ linux-2.5/arch/s390/lib/uaccess.S 13 Oct 2006 17:24:10 -0000 1.9.2.2 @@ -40,7 +40,17 @@ # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slr %r3,%r5 -6: lr %r2,%r3 + alr %r2,%r5 +6: lr %r5,%r3 # copy remaining size + ahi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: ahi %r5,-256 + jnm 7b + ex %r5,0(%r4) +9: lr %r2,%r3 br %r14 .section __ex_table,"a" .long 0b,4b
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor