[kernel-sec-discuss] r3454 - active
Ben Hutchings
benh at moszumanska.debian.org
Wed Jul 23 00:13:11 UTC 2014
Author: benh
Date: 2014-07-23 00:13:11 +0000 (Wed, 23 Jul 2014)
New Revision: 3454
Modified:
active/CVE-2014-3534
Log:
Update description of CVE-2014-3534 after re-reading Martin's explanation
This is based on a private mail, so I can't just add a reference. :-(
Modified: active/CVE-2014-3534
===================================================================
--- active/CVE-2014-3534 2014-07-23 00:03:39 UTC (rev 3453)
+++ active/CVE-2014-3534 2014-07-23 00:13:11 UTC (rev 3454)
@@ -2,13 +2,13 @@
References:
Notes:
bwh> Martin Schwidefsky says this was introduced by commit fa968ee215c0
- bwh> ("s390/signal: set correct address space control"), but only if the
- bwh> kernel parameter user_mode=primary is used. Commit e258d719ff28
- bwh> ("s390/uaccess: always run the kernel in home space") closed the
- bwh> vulnerability in signal handling (the kernel parameter no longer
- bwh> exists) and replaced it with a vulnerability through ptrace.
- bwh> The upstream fix therefore fixes the second vulnerability but 3.2.y
- bwh> suffers from the first (which maybe wants its own CVE ID).
+ bwh> ("s390/signal: set correct address space control"). It added the
+ bwh> ASC (Address Space Control) processor status bits to those that
+ bwh> must be restored on return from signals, but as a result they can
+ bwh> also be set arbitrarily by ptrace. This opens a vulnerability if
+ bwh> the kernel parameter user_mode=primary is used. Commit e258d719ff28
+ bwh> ("s390/uaccess: always run the kernel in home space") made that
+ bwh> the default (I think).
Bugs:
upstream: pending (3.16-rc7) [dab6cf55f81a6e16b8147aed9a843e1691dcd318]
2.6.32-upstream-stable: N/A ("vulnerable code not present")
More information about the kernel-sec-discuss
mailing list