[kernel] r21618 - in dists/wheezy-security/linux/debian: . patches patches/bugfix/s390

Ben Hutchings benh at moszumanska.debian.org
Wed Jul 23 00:35:45 UTC 2014 

Author: benh
Date: Wed Jul 23 00:35:45 2014
New Revision: 21618

Log:
[s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534)

Added:
   dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
Modified:
   dists/wheezy-security/linux/debian/changelog
   dists/wheezy-security/linux/debian/patches/series

Modified: dists/wheezy-security/linux/debian/changelog
==============================================================================
--- dists/wheezy-security/linux/debian/changelog	Tue Jul 22 23:15:53 2014	(r21617)
+++ dists/wheezy-security/linux/debian/changelog	Wed Jul 23 00:35:45 2014	(r21618)
@@ -2,6 +2,7 @@
 
   * net/l2tp: don't fall back on UDP [get|set]sockopt (CVE-2014-4943)
   * sctp: Fix sk_ack_backlog wrap-around problem (CVE-2014-4667)
+  * [s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534)
 
  -- Ben Hutchings <ben at decadent.org.uk>  Wed, 23 Jul 2014 00:10:57 +0100
 

Added: dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch
==============================================================================
--- /dev/null	00:00:00 1970	(empty, because file is newly added)
+++ dists/wheezy-security/linux/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch	Wed Jul 23 00:35:45 2014	(r21618)
@@ -0,0 +1,65 @@
+From: Martin Schwidefsky <schwidefsky at de.ibm.com>
+Date: Mon, 23 Jun 2014 15:29:40 +0200
+Subject: s390/ptrace: fix PSW mask check
+Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318
+
+The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect.
+The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace
+interface accepts all combinations for the address-space-control
+bits. To protect the kernel space the PSW mask check in ptrace needs
+to reject the address-space-control bit combination for home space.
+
+Fixes CVE-2014-3534
+
+Cc: stable at vger.kernel.org
+Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
+[bwh: Backported to 3.2:
+ - The PSW user-settable bitmasks are constant, never including PSW_MASK_RI
+ - The kernel can run in either home or primary space, so instead that
+   the ASC bits are not equal PSW_ASC_HOME, we have to check that they
+   don't match psw_kernel_bits
+ - For the same reason, the required values of non-user-settable bits
+   are variables (psw_user_bits/psw32_user_bits) and remain so]
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+---
+--- a/arch/s390/kernel/ptrace.c
++++ b/arch/s390/kernel/ptrace.c
+@@ -291,11 +291,18 @@ static int __poke_user(struct task_struc
+ 		/*
+ 		 * psw and gprs are stored on the stack
+ 		 */
+-		if (addr == (addr_t) &dummy->regs.psw.mask &&
+-		    ((data & ~PSW_MASK_USER) != psw_user_bits ||
+-		     ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))))
+-			/* Invalid psw mask. */
+-			return -EINVAL;
++		if (addr == (addr_t) &dummy->regs.psw.mask) {
++			if ((data ^ psw_user_bits) & ~PSW_MASK_USER)
++				/* Invalid psw mask. */
++				return -EINVAL;
++			if ((data & PSW_MASK_ASC) ==
++			    (psw_kernel_bits & PSW_MASK_ASC))
++				/* Invalid address-space-control bits */
++				return -EINVAL;
++			if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA))
++				/* Invalid addressing mode bits */
++				return -EINVAL;
++		}
+ 		*(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data;
+ 
+ 	} else if (addr < (addr_t) (&dummy->regs.orig_gpr2)) {
+@@ -595,9 +602,13 @@ static int __poke_user_compat(struct tas
+ 		 */
+ 		if (addr == (addr_t) &dummy32->regs.psw.mask) {
+ 			/* Build a 64 bit psw mask from 31 bit mask. */
+-			if ((tmp & ~PSW32_MASK_USER) != psw32_user_bits)
++			if ((tmp ^ psw32_user_bits) & ~PSW32_MASK_USER)
+ 				/* Invalid psw mask. */
+ 				return -EINVAL;
++			if ((data & PSW32_MASK_ASC) ==
++			    ((psw_kernel_bits & PSW_MASK_ASC) >> 32))
++				/* Invalid address-space-control bits */
++				return -EINVAL;
+ 			regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) |
+ 				(regs->psw.mask & PSW_MASK_BA) |
+ 				(__u64)(tmp & PSW32_MASK_USER) << 32;

Modified: dists/wheezy-security/linux/debian/patches/series
==============================================================================
--- dists/wheezy-security/linux/debian/patches/series	Tue Jul 22 23:15:53 2014	(r21617)
+++ dists/wheezy-security/linux/debian/patches/series	Wed Jul 23 00:35:45 2014	(r21618)
@@ -1142,3 +1142,4 @@
 bugfix/all/revert-net-ip-ipv6-handle-gso-skbs-in-forwarding-pat.patch
 bugfix/all/net-l2tp-don-t-fall-back-on-UDP-get-set-sockopt.patch
 bugfix/all/sctp-fix-sk_ack_backlog-wrap-around-problem.patch
+bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch

More information about the Kernel-svn-changes mailing list