From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [PATCH 3.10 19/21] s390/ptrace: fix PSW mask check
Date: Tue, 29 Jul 2014 18:48:48 -0700 [thread overview]
Message-ID: <20140730014831.284017694@linuxfoundation.org> (raw)
In-Reply-To: <20140730014830.424826215@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit dab6cf55f81a6e16b8147aed9a843e1691dcd318 upstream.
The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
interface accepts all combinations for the address-space-control
bits. To protect the kernel space the PSW mask check in ptrace needs
to reject the address-space-control bit combination for home space.
Fixes CVE-2014-3534
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/ptrace.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -314,7 +314,9 @@ static int __poke_user(struct task_struc
* psw and gprs are stored on the stack
*/
if (addr == (addr_t) &dummy->regs.psw.mask &&
- ((data & ~PSW_MASK_USER) != psw_user_bits ||
+ (((data^psw_user_bits) & ~PSW_MASK_USER) ||
+ (((data^psw_user_bits) & PSW_MASK_ASC) &&
+ ((data|psw_user_bits) & PSW_MASK_ASC) == PSW_MASK_ASC) ||
((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))))
/* Invalid psw mask. */
return -EINVAL;
@@ -627,7 +629,10 @@ static int __poke_user_compat(struct tas
*/
if (addr == (addr_t) &dummy32->regs.psw.mask) {
/* Build a 64 bit psw mask from 31 bit mask. */
- if ((tmp & ~PSW32_MASK_USER) != psw32_user_bits)
+ if (((tmp^psw32_user_bits) & ~PSW32_MASK_USER) ||
+ (((tmp^psw32_user_bits) & PSW32_MASK_ASC) &&
+ ((tmp|psw32_user_bits) & PSW32_MASK_ASC)
+ == PSW32_MASK_ASC))
/* Invalid psw mask. */
return -EINVAL;
regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
next prev parent reply other threads:[~2014-07-30 1:49 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 1:48 [PATCH 3.10 00/21] 3.10.51-stable review Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 01/21] media: hdpvr: fix two audio bugs Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 02/21] media: tda10071: force modulation to QPSK on DVB-S Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 03/21] block: provide compat ioctl for BLKZEROOUT Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 04/21] block: dont assume last put of shared tags is for the host Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 05/21] libata: support the ata host which implements a queue depth less than 32 Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 06/21] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 07/21] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 08/21] blkcg: dont call into policy draining if root_blkg is already gone Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 09/21] tracing: Fix wraparound problems in "uptime" trace clock Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 10/21] slab_common: Do not check for duplicate slab names Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 11/21] slab_common: fix the " Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 12/21] Input: fix defuzzing logic Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 13/21] coredump: fix the setting of PF_DUMPCORE Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 14/21] parisc: Remove SA_RESTORER define Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 15/21] hwmon: (smsc47m192) Fix temperature limit and vrm write operations Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 16/21] x86_32, entry: Store badsys error code in %eax Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 17/21] mm: hugetlb: fix copy_hugetlb_page_range() Greg Kroah-Hartman
2014-07-30 1:48 ` Greg Kroah-Hartman [this message]
2014-07-30 1:48 ` [PATCH 3.10 21/21] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors Greg Kroah-Hartman
2014-07-30 16:07 ` [PATCH 3.10 00/21] 3.10.51-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140730014831.284017694@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.