-stable review patch. If anyone has any objections, please let us know. ------------------ From: Martin Schwidefsky [S390] user readable uninitialised kernel memory. A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address. Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman --- arch/s390/lib/uaccess.S | 12 +++++++++++- arch/s390/lib/uaccess64.S | 12 +++++++++++- 2 files changed, 22 insertions(+), 2 deletions(-) --- linux-2.6.18.orig/arch/s390/lib/uaccess.S +++ linux-2.6.18/arch/s390/lib/uaccess.S @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slr %r3,%r5 -6: lr %r2,%r3 + alr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + ahi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%2),0(%2) +7: xc 0(256,%2),0(%2) + la %r2,256(%r2) +8: ahji %r5,-256 + jnm 7b + ex %r5,0(%r2) +9: lr %r2,%r3 br %r14 .section __ex_table,"a" .long 0b,4b --- linux-2.6.18.orig/arch/s390/lib/uaccess64.S +++ linux-2.6.18/arch/s390/lib/uaccess64.S @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slgr %r3,%r5 -6: lgr %r2,%r3 + algr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + aghi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: aghi %r5,-256 + jnm 7b + ex %r5,0(%r2) +9: lgr %r2,%r3 br %r14 .section __ex_table,"a" .quad 0b,4b -- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/