File linux-2.6-s390-information-leak.patch of Package kernel

Overview Repositories Revisions Requests Users Attributes Meta

File linux-2.6-s390-information-leak.patch of Package kernel

Date: Tue, 31 Oct 2006 11:47:30 +0100
From: Jan Glauber <jglauber@redhat.com>
Subject: [RHEL5 PATCH] CVE-2006-5174: information leak on s390

The same security issue we fixed in RHEL3 & 4 is also in RHEL5.
Fix is upstream, tested by me.

Jan
-- 
jglauber@redhat.com
jang@de.ibm.com

Description: kernel: user readable uninitialised kernel memory.
  Problem:     A user space program can read uninitialised kernel memory
               by appending to a file from a bad address and then reading
               the result back. The cause is the copy_from_user function
               that does not clear the remaining bytes of the kernel
               buffer after it got a fault on the user space address.
  Solution:    Fix the copy_from_user function to clear the remaining bytes
               of the kernel buffer after a user space fault.

--- linux-2.5/arch/s390/lib/uaccess64.S	30 Aug 2006 13:34:10 -0000	1.7.2.1
+++ linux-2.5/arch/s390/lib/uaccess64.S	13 Oct 2006 17:24:10 -0000	1.7.2.2
@@ -40,7 +40,17 @@
 	# move with the reduced length which is < 256
 5:	mvcp	0(%r5,%r2),0(%r4),%r0
 	slgr	%r3,%r5
-6:	lgr	%r2,%r3
+	algr	%r2,%r5
+6:	lgr	%r5,%r3		# copy remaining size
+	aghi	%r5,-1		# subtract 1 for xc loop
+	bras	%r4,8f
+	xc	0(1,%r2),0(%r2)
+7:	xc	0(256,%r2),0(%r2)
+	la	%r2,256(%r2)
+8:	aghi	%r5,-256
+	jnm	7b
+	ex	%r5,0(%r4)
+9:	lgr	%r2,%r3
 	br	%r14
         .section __ex_table,"a"
 	.quad	0b,4b

--- linux-2.5/arch/s390/lib/uaccess.S	30 Aug 2006 13:34:10 -0000	1.9.2.1
+++ linux-2.5/arch/s390/lib/uaccess.S	13 Oct 2006 17:24:10 -0000	1.9.2.2
@@ -40,7 +40,17 @@
 	# move with the reduced length which is < 256
 5:	mvcp	0(%r5,%r2),0(%r4),%r0
 	slr	%r3,%r5
-6:	lr	%r2,%r3
+	alr	%r2,%r5
+6:	lr	%r5,%r3		# copy remaining size
+	ahi	%r5,-1		# subtract 1 for xc loop
+	bras	%r4,8f
+	xc	0(1,%r2),0(%r2)
+7:	xc	0(256,%r2),0(%r2)
+	la	%r2,256(%r2)
+8:	ahi	%r5,-256
+	jnm	7b
+	ex	%r5,0(%r4)
+9:	lr	%r2,%r3
 	br	%r14
         .section __ex_table,"a"
 	.long	0b,4b

Places

File linux-2.6-s390-information-leak.patch of Package kernel

Places