There is/has been a bug with copy_from_user on s390. The problem is that
it does not pad the kernel buffer with zeroes in case of a fault on the
user address. That allows a malicious user to read uninitialized kernel
memory. The bug is already fixed upstream:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=
52149ba6b0ddf3e9d965257cc0513193650b3ea8
The uaccess code for s390 has changed recently, for older 2.6 versions
you need a different patch, and for 2.4 yet another one.
Description: kernel: user readable uninitialised kernel memory.
Symptom: None.
Problem: A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Solution: Fix the copy_from_user function to clear the remaining bytes
of the kernel buffer after a user space fault.
Martin Schwidefsky
Linux for zSeries Development & Services
IBM Deutschland Entwicklung GmbH
sacf 512
0: mvcle %r2,%r4,0
jo 0b
-1: sacf 0
lr %r2,%r5
+1: sacf 0
br %r14
2: lhi %r1,-4096
lr %r3,%r4
nr %r3,%r1 # %r3 = (%r4 + 4096) & -4096
slr %r3,%r4 # %r3 = #bytes to next user page boundary
clr %r5,%r3 # copy crosses next page boundary ?
- jnh 1b # no, this page fauled
+ jnh 4b # no, this page fauled
# The page after the current user page might have faulted.
- # We cant't find out which page because the program check handler
+ # We can't find out which page because the program check handler
# might have callled schedule, destroying all lowcore information.
# We retry with the shortened length.
3: mvcle %r2,%r4,0
jo 3b
+4: lr %r1,%r5 # pad remaining bytes with 0
+ lr %r3,%r5
+ slr %r5,%r5
+5: mvcle %r2,%r4,0
+ jo 5b
+ lr %r2,%r1
j 1b
.section __ex_table,"a"
.long 0b,2b
- .long 3b,1b
+ .long 3b,4b
.previous
.align 4
sacf 512
0: mvcle %r2,%r4,0
jo 0b
-1: sacf 0
lgr %r2,%r5
+1: sacf 0
br %r14
2: lghi %r1,-4096
lgr %r3,%r4
ngr %r3,%r1 # %r3 = (%r4 + 4096) & -4096
slgr %r3,%r4 # %r3 = #bytes to next user page boundary
clgr %r5,%r3 # copy crosses next page boundary ?
- jnh 1b # no, this page fauled
+ jnh 4b # no, this page fauled
# The page after the current user page might have faulted.
- # We cant't find out which page because the program check handler
+ # We can't find out which page because the program check handler
# might have callled schedule, destroying all lowcore information.
# We retry with the shortened length.
3: mvcle %r2,%r4,0
jo 3b
+4: lgr %r1,%r5 # pad remaining bytes with 0
+ lgr %r3,%r5
+ slgr %r5,%r5
+5: mvcle %r4,%r2,0
+ jo 5b
+ lgr %r2,%r1
j 1b
.section __ex_table,"a"
.quad 0b,2b
- .quad 3b,1b
+ .quad 3b,4b
.previous
.align 4