[kernel] r21622 - dists/wheezy-security/linux/debian/patches/bugfix/s390

[Ben Hutchings]

Author: benh
Date: Wed Jul 23 12:11:47 2014
New Revision: 21622

Log:
Replace patch for CVE-2014-3534 with Martin's original version for 3.2

Modified:
   dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch

Modified: dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
==============================================================================
--- dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch	Wed Jul 23 09:38:19 2014	(r21621)
+++ dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch	Wed Jul 23 12:11:47 2014	(r21622)
@@ -1,65 +1,40 @@
 From: Martin Schwidefsky <schwidefsky at de.ibm.com>
-Date: Mon, 23 Jun 2014 15:29:40 +0200
+Date: Mon, 23 Jun 2014 14:43:06 +0200
 Subject: s390/ptrace: fix PSW mask check
-Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318
 
 The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
-The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
-interface accepts all combinations for the address-space-control
-bits. To protect the kernel space the PSW mask check in ptrace needs
-to reject the address-space-control bit combination for home space.
+For the default user_mode=home address space layout the psw_user_bits
+variable has the home space address-space-control bits set. But the
+PSW_MASK_USER contains PSW_MASK_ASC, the ptrace validity check for the
+PSW mask will therefore always fail.
 
 Fixes CVE-2014-3534
 
-Cc: stable at vger.kernel.org
 Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
-[bwh: Backported to 3.2:
- - The PSW user-settable bitmasks are constant, never including PSW_MASK_RI
- - The kernel can run in either home or primary space, so instead of
-   checking that the ASC bits are not equal to PSW_ASC_HOME, we have to
-   check that they don't match psw_kernel_bits
- - For the same reason, the required values of non-user-settable bits
-   are variables (psw_user_bits/psw32_user_bits) and remain so]
-Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
 ---
+
 --- a/arch/s390/kernel/ptrace.c
 +++ b/arch/s390/kernel/ptrace.c
-@@ -291,11 +291,18 @@ static int __poke_user(struct task_struc
- 		/*
+@@ -292,7 +292,9 @@ static int __poke_user(struct task_struc
  		 * psw and gprs are stored on the stack
  		 */
--		if (addr == (addr_t) &dummy->regs.psw.mask &&
+ 		if (addr == (addr_t) &dummy->regs.psw.mask &&
 -		    ((data & ~PSW_MASK_USER) != psw_user_bits ||
--		     ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))))
--			/* Invalid psw mask. */
--			return -EINVAL;
-+		if (addr == (addr_t) &dummy->regs.psw.mask) {
-+			if ((data ^ psw_user_bits) & ~PSW_MASK_USER)
-+				/* Invalid psw mask. */
-+				return -EINVAL;
-+			if ((data & PSW_MASK_ASC) ==
-+			    (psw_kernel_bits & PSW_MASK_ASC))
-+				/* Invalid address-space-control bits */
-+				return -EINVAL;
-+			if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
-+				/* Invalid addressing mode bits */
-+				return -EINVAL;
-+		}
- 		*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
- 
- 	} else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) {
-@@ -595,9 +602,13 @@ static int __poke_user_compat(struct tas
++		    (((data^psw_user_bits) & ~PSW_MASK_USER) ||
++		     (((data^psw_user_bits) & PSW_MASK_ASC) &&
++		      ((data|psw_user_bits) & PSW_MASK_ASC) == PSW_MASK_ASC) ||
+ 		     ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))))
+ 			/* Invalid psw mask. */
+ 			return -EINVAL;
+@@ -595,7 +597,10 @@ static int __poke_user_compat(struct tas
  		 */
  		if (addr == (addr_t) &dummy32->regs.psw.mask) {
  			/* Build a 64 bit psw mask from 31 bit mask. */
 -			if ((tmp & ~PSW32_MASK_USER) != psw32_user_bits)
-+			if ((tmp ^ psw32_user_bits) & ~PSW32_MASK_USER)
++			if (((tmp^psw32_user_bits) & ~PSW32_MASK_USER) ||
++			    (((tmp^psw32_user_bits) & PSW32_MASK_ASC) &&
++			     ((tmp|psw32_user_bits) & PSW32_MASK_ASC)
++			     == PSW32_MASK_ASC))
  				/* Invalid psw mask. */
  				return -EINVAL;
-+			if ((data & PSW32_MASK_ASC) ==
-+			    ((psw_kernel_bits & PSW_MASK_ASC) >> 32))
-+				/* Invalid address-space-control bits */
-+				return -EINVAL;
  			regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
- 				(regs->psw.mask & PSW_MASK_BA) |
- 				(__u64)(tmp & PSW32_MASK_USER) << 32;