[kernel] r21627 - in dists/sid/linux/debian: . patches patches/bugfix/s390
Aurelien Jarno
aurel32 at moszumanska.debian.org
Thu Jul 24 05:48:54 UTC 2014
Author: aurel32
Date: Thu Jul 24 05:48:54 2014
New Revision: 21627
Log:
[s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534).
Added:
dists/sid/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
Modified:
dists/sid/linux/debian/changelog
dists/sid/linux/debian/patches/series
Modified: dists/sid/linux/debian/changelog
==============================================================================
--- dists/sid/linux/debian/changelog Thu Jul 24 05:46:46 2014 (r21626)
+++ dists/sid/linux/debian/changelog Thu Jul 24 05:48:54 2014 (r21627)
@@ -12,6 +12,7 @@
* [mipsel,mips64el/loongson-2e,2f] Enable CONFIG_RTC_DRV_CMOS as built-in.
* [mips*] Add few new udebs and use standard udebs configuration when
possible.
+ * [s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534).
-- Aurelien Jarno <aurel32 at debian.org> Mon, 21 Jul 2014 23:18:59 +0200
Added: dists/sid/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/sid/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch Thu Jul 24 05:48:54 2014 (r21627)
@@ -0,0 +1,56 @@
+From: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Mon, 23 Jun 2014 15:29:40 +0200
+Subject: s390/ptrace: fix PSW mask check
+Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318
+
+The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
+The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
+interface accepts all combinations for the address-space-control
+bits. To protect the kernel space the PSW mask check in ptrace needs
+to reject the address-space-control bit combination for home space.
+
+Fixes CVE-2014-3534
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+---
+ arch/s390/kernel/ptrace.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
+index 2d716734..5dc7ad9 100644
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -334,9 +334,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data)
+ unsigned long mask = PSW_MASK_USER;
+
+ mask |= is_ri_task(child) ? PSW_MASK_RI : 0;
+- if ((data & ~mask) != PSW_USER_BITS)
++ if ((data ^ PSW_USER_BITS) & ~mask)
++ /* Invalid psw mask. */
++ return -EINVAL;
++ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME)
++ /* Invalid address-space-control bits */
+ return -EINVAL;
+ if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
++ /* Invalid addressing mode bits */
+ return -EINVAL;
+ }
+ *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
+@@ -672,9 +677,12 @@ static int __poke_user_compat(struct task_struct *child,
+
+ mask |= is_ri_task(child) ? PSW32_MASK_RI : 0;
+ /* Build a 64 bit psw mask from 31 bit mask. */
+- if ((tmp & ~mask) != PSW32_USER_BITS)
++ if ((tmp ^ PSW32_USER_BITS) & ~mask)
+ /* Invalid psw mask. */
+ return -EINVAL;
++ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME)
++ /* Invalid address-space-control bits */
++ return -EINVAL;
+ regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
+ (regs->psw.mask & PSW_MASK_BA) |
+ (__u64)(tmp & mask) << 32;
+--
+2.0.0
+
Modified: dists/sid/linux/debian/patches/series
==============================================================================
--- dists/sid/linux/debian/patches/series Thu Jul 24 05:46:46 2014 (r21626)
+++ dists/sid/linux/debian/patches/series Thu Jul 24 05:48:54 2014 (r21627)
@@ -69,6 +69,7 @@
bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch
bugfix/all/disable-some-marvell-phys.patch
bugfix/all/bluetooth-allocate-static-minor-for-vhci.patch
+bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
# Miscellaneous features
features/all/x86-memtest-WARN-if-bad-RAM-found.patch
More information about the Kernel-svn-changes
mailing list