CVE-2004-0887 in 2.4
Repoke.
I think I'll go ahead and put this into our tree & revert if it causes
problems.
hey Bastian,
CAN-2004-0887 is fixed in our 2.6.8:
* [SECURITY] s390: Fix for local root exploit: Force user process back to
home space mode in space switch event exception handler. (CAN-2004-0887)
(Bastian Blank)
The vulnerable code looks to be present in 2.4.27 as well, but I don't
see a patch in either kernel-source-2.4.27 or the s390 patch package.
I've tried my hand at porting it (below). Should we apply it? If so,
where is the proper place to submit it upstream - direct to
lkml/Marcelo?
--- kernel-source-2.4.27/arch/s390/kernel/traps.c.orig 2006-01-16 19:31:12.000000000 -0700
+++ kernel-source-2.4.27/arch/s390/kernel/traps.c 2006-01-16 19:32:12.000000000 -0700
@@ -622,6 +622,20 @@
}
}
+asmlinkage void space_switch_exception(struct pt_regs * regs, long int_code)
+{
+ siginfo_t info;
+
+ /* Set user psw back to home space mode. */
+ if (regs->psw.mask & PSW_MASK_PSTATE)
+ regs->psw.mask |= PSW_ASC_HOME;
+ /* Send SIGILL. */
+ info.si_signo = SIGILL;
+ info.si_errno = 0;
+ info.si_code = ILL_PRVOPC;
+ info.si_addr = get_check_address(regs);
+ do_trap(int_code, SIGILL, "space switch event", regs, &info);
+}
/* init is done in lowcore.S and head.S */
@@ -646,7 +660,7 @@
pgm_check_table[0x13] = &special_op_exception;
pgm_check_table[0x14] = &do_pseudo_page_fault;
pgm_check_table[0x15] = &operand_exception;
- pgm_check_table[0x1C] = &privileged_op;
+ pgm_check_table[0x1C] = &space_switch_exception;
#if defined (CONFIG_VIRT_TIMER) || defined (CONFIG_NO_IDLE_HZ)
pgm_check_table[0x40] = &do_monitor_call;
#endif
--
dann frazier <dannf@dannf.org>
Reply to: