From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Martin Schwidefsky <schwidefsky@de.ibm.com>
Subject: [PATCH 3.14 10/29] s390/ptrace: fix PSW mask check
Date: Tue, 29 Jul 2014 18:48:45 -0700 [thread overview]
Message-ID: <20140730014809.756830943@linuxfoundation.org> (raw)
In-Reply-To: <20140730014809.316066303@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit dab6cf55f81a6e16b8147aed9a843e1691dcd318 upstream.
The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
interface accepts all combinations for the address-space-control
bits. To protect the kernel space the PSW mask check in ptrace needs
to reject the address-space-control bit combination for home space.
Fixes CVE-2014-3534
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/ptrace.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -323,9 +323,14 @@ static int __poke_user(struct task_struc
unsigned long mask = PSW_MASK_USER;
mask |= is_ri_task(child) ? PSW_MASK_RI : 0;
- if ((data & ~mask) != PSW_USER_BITS)
+ if ((data ^ PSW_USER_BITS) & ~mask)
+ /* Invalid psw mask. */
+ return -EINVAL;
+ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME)
+ /* Invalid address-space-control bits */
return -EINVAL;
if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
+ /* Invalid addressing mode bits */
return -EINVAL;
}
*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
@@ -661,9 +666,12 @@ static int __poke_user_compat(struct tas
mask |= is_ri_task(child) ? PSW32_MASK_RI : 0;
/* Build a 64 bit psw mask from 31 bit mask. */
- if ((tmp & ~mask) != PSW32_USER_BITS)
+ if ((tmp ^ PSW32_USER_BITS) & ~mask)
/* Invalid psw mask. */
return -EINVAL;
+ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME)
+ /* Invalid address-space-control bits */
+ return -EINVAL;
regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
(regs->psw.mask & PSW_MASK_BA) |
(__u64)(tmp & mask) << 32;
next prev parent reply other threads:[~2014-07-30 2:03 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 1:48 [PATCH 3.14 00/29] 3.14.15-stable review Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 01/29] media: staging: tighten omap4iss dependencies Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 02/29] media: media: v4l2-core: v4l2-dv-timings.c: Cleaning up code wrong value used in aspect ratio Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 03/29] media: hdpvr: fix two audio bugs Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 04/29] media: tda10071: force modulation to QPSK on DVB-S Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 05/29] nfs: only show Posix ACLs in listxattr if actually present Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 06/29] block: provide compat ioctl for BLKZEROOUT Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 07/29] block: dont assume last put of shared tags is for the host Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 08/29] libata: support the ata host which implements a queue depth less than 32 Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 09/29] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Greg Kroah-Hartman
2014-07-30 1:48 ` Greg Kroah-Hartman [this message]
2014-07-30 1:48 ` [PATCH 3.14 11/29] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 12/29] blkcg: dont call into policy draining if root_blkg is already gone Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 13/29] tracing: Fix wraparound problems in "uptime" trace clock Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 14/29] slab_common: fix the check for duplicate slab names Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 15/29] Input: synaptics - add min/max quirk for pnp-id LEN2002 (Edge E531) Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 16/29] Input: fix defuzzing logic Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 17/29] coredump: fix the setting of PF_DUMPCORE Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 18/29] parisc: Remove SA_RESTORER define Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 19/29] hwmon: (smsc47m192) Fix temperature limit and vrm write operations Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 20/29] parport: fix menu breakage Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 21/29] fs: umount on symlink leaks mnt count Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.14 22/29] x86_32, entry: Store badsys error code in %eax Greg Kroah-Hartman
2014-07-30 1:49 ` [PATCH 3.14 25/29] mm: hugetlb: fix copy_hugetlb_page_range() Greg Kroah-Hartman
2014-07-30 1:49 ` [PATCH 3.14 28/29] nl80211: move set_qos_map command into split state Greg Kroah-Hartman
2014-07-30 1:49 ` [PATCH 3.14 29/29] platform_get_irq: Revert to platform_get_resource if of_irq_get fails Greg Kroah-Hartman
2014-07-30 16:08 ` [PATCH 3.14 00/29] 3.14.15-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140730014809.756830943@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox