From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Martin Schwidefsky <schwidefsky@de.ibm.com>,
Ben Hutchings <ben@decadent.org.uk>
Subject: [PATCH 3.10 19/21] s390/ptrace: fix PSW mask check
Date: Tue, 29 Jul 2014 18:48:48 -0700 [thread overview]
Message-ID: <20140730014831.284017694@linuxfoundation.org> (raw)
In-Reply-To: <20140730014830.424826215@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Schwidefsky <schwidefsky@de.ibm.com>
commit dab6cf55f81a6e16b8147aed9a843e1691dcd318 upstream.
The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
interface accepts all combinations for the address-space-control
bits. To protect the kernel space the PSW mask check in ptrace needs
to reject the address-space-control bit combination for home space.
Fixes CVE-2014-3534
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Cc: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/kernel/ptrace.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/arch/s390/kernel/ptrace.c
+++ b/arch/s390/kernel/ptrace.c
@@ -314,7 +314,9 @@ static int __poke_user(struct task_struc
* psw and gprs are stored on the stack
*/
if (addr == (addr_t) &dummy->regs.psw.mask &&
- ((data & ~PSW_MASK_USER) != psw_user_bits ||
+ (((data^psw_user_bits) & ~PSW_MASK_USER) ||
+ (((data^psw_user_bits) & PSW_MASK_ASC) &&
+ ((data|psw_user_bits) & PSW_MASK_ASC) == PSW_MASK_ASC) ||
((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))))
/* Invalid psw mask. */
return -EINVAL;
@@ -627,7 +629,10 @@ static int __poke_user_compat(struct tas
*/
if (addr == (addr_t) &dummy32->regs.psw.mask) {
/* Build a 64 bit psw mask from 31 bit mask. */
- if ((tmp & ~PSW32_MASK_USER) != psw32_user_bits)
+ if (((tmp^psw32_user_bits) & ~PSW32_MASK_USER) ||
+ (((tmp^psw32_user_bits) & PSW32_MASK_ASC) &&
+ ((tmp|psw32_user_bits) & PSW32_MASK_ASC)
+ == PSW32_MASK_ASC))
/* Invalid psw mask. */
return -EINVAL;
regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
next prev parent reply other threads:[~2014-07-30 1:48 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-30 1:48 [PATCH 3.10 00/21] 3.10.51-stable review Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 01/21] media: hdpvr: fix two audio bugs Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 02/21] media: tda10071: force modulation to QPSK on DVB-S Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 03/21] block: provide compat ioctl for BLKZEROOUT Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 04/21] block: dont assume last put of shared tags is for the host Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 05/21] libata: support the ata host which implements a queue depth less than 32 Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 06/21] libata: introduce ata_host->n_tags to avoid oops on SAS controllers Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 07/21] ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 08/21] blkcg: dont call into policy draining if root_blkg is already gone Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 09/21] tracing: Fix wraparound problems in "uptime" trace clock Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 10/21] slab_common: Do not check for duplicate slab names Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 11/21] slab_common: fix the " Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 12/21] Input: fix defuzzing logic Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 13/21] coredump: fix the setting of PF_DUMPCORE Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 14/21] parisc: Remove SA_RESTORER define Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 15/21] hwmon: (smsc47m192) Fix temperature limit and vrm write operations Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 16/21] x86_32, entry: Store badsys error code in %eax Greg Kroah-Hartman
2014-07-30 1:48 ` [PATCH 3.10 17/21] mm: hugetlb: fix copy_hugetlb_page_range() Greg Kroah-Hartman
2014-07-30 1:48 ` Greg Kroah-Hartman [this message]
2014-07-30 1:48 ` [PATCH 3.10 21/21] core, nfqueue, openvswitch: Orphan frags in skb_zerocopy and handle errors Greg Kroah-Hartman
2014-07-30 16:07 ` [PATCH 3.10 00/21] 3.10.51-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140730014831.284017694@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ben@decadent.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=schwidefsky@de.ibm.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).