releases/2.6.18.3/s390-user-readable-uninitialised-kernel-memory-take-2.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From schwidefsky@de.ibm.com  Fri Nov  3 06:46:40 2006
 Date: Fri, 03 Nov 2006 15:43:36 +0100
 From: Martin Schwidefsky <schwidefsky@de.ibm.com>
 Message-Id: <1162565016.7416.7.camel@localhost>
 To: chrisw@sous-sol.org
 Cc: greg@kroah.com, stable@kernel.org
 Subject: S390: user readable uninitialised kernel memory, take 2.

 The previous patch to correct the copy_from_user padding is quite
 broken. The execute instruction needs to be done via the register %r4,
 not via %r2 and 31 bit doesn't know the instructions lgr and ahji.

 Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
 Signed-off-by: Chris Wright <chrisw@sous-sol.org>
 ---
  arch/s390/lib/uaccess.S   |   10 +++++-----
  arch/s390/lib/uaccess64.S |    2 +-
  2 files changed, 6 insertions(+), 6 deletions(-)

 --- linux-2.6.18.2.orig/arch/s390/lib/uaccess64.S
 +++ linux-2.6.18.2/arch/s390/lib/uaccess64.S
 @@ -49,7 +49,7 @@ __copy_from_user_asm:
  	la	%r2,256(%r2)
  8:	aghi	%r5,-256
  	jnm	7b
 -	ex	%r5,0(%r2)
 +	ex	%r5,0(%r4)
  9:	lgr	%r2,%r3
  	br	%r14
          .section __ex_table,"a"
 --- linux-2.6.18.2.orig/arch/s390/lib/uaccess.S
 +++ linux-2.6.18.2/arch/s390/lib/uaccess.S
 @@ -41,15 +41,15 @@ __copy_from_user_asm:
  5:	mvcp	0(%r5,%r2),0(%r4),%r0
  	slr	%r3,%r5
  	alr	%r2,%r5
 -6:	lgr	%r5,%r3		# copy remaining size
 +6:	lr	%r5,%r3		# copy remaining size
  	ahi	%r5,-1		# subtract 1 for xc loop
  	bras	%r4,8f
 -	xc	0(1,%2),0(%2)
 -7:	xc	0(256,%2),0(%2)
 +	xc	0(1,%r2),0(%r2)
 +7:	xc	0(256,%r2),0(%r2)
  	la	%r2,256(%r2)
 -8:	ahji	%r5,-256
 +8:	ahi	%r5,-256
  	jnm	7b
 -	ex	%r5,0(%r2)
 +	ex	%r5,0(%r4)
  9:	lr	%r2,%r3
  	br	%r14
          .section __ex_table,"a"
	From schwidefsky@de.ibm.com Fri Nov 3 06:46:40 2006
	Date: Fri, 03 Nov 2006 15:43:36 +0100
	From: Martin Schwidefsky <schwidefsky@de.ibm.com>
	Message-Id: <1162565016.7416.7.camel@localhost>
	To: chrisw@sous-sol.org
	Cc: greg@kroah.com, stable@kernel.org
	Subject: S390: user readable uninitialised kernel memory, take 2.

	The previous patch to correct the copy_from_user padding is quite
	broken. The execute instruction needs to be done via the register %r4,
	not via %r2 and 31 bit doesn't know the instructions lgr and ahji.

	Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	---
	arch/s390/lib/uaccess.S \| 10 +++++-----
	arch/s390/lib/uaccess64.S \| 2 +-
	2 files changed, 6 insertions(+), 6 deletions(-)

	--- linux-2.6.18.2.orig/arch/s390/lib/uaccess64.S
	+++ linux-2.6.18.2/arch/s390/lib/uaccess64.S
	@@ -49,7 +49,7 @@ __copy_from_user_asm:
	la %r2,256(%r2)
	8: aghi %r5,-256
	jnm 7b
	- ex %r5,0(%r2)
	+ ex %r5,0(%r4)
	9: lgr %r2,%r3
	br %r14
	.section __ex_table,"a"
	--- linux-2.6.18.2.orig/arch/s390/lib/uaccess.S
	+++ linux-2.6.18.2/arch/s390/lib/uaccess.S
	@@ -41,15 +41,15 @@ __copy_from_user_asm:
	5: mvcp 0(%r5,%r2),0(%r4),%r0
	slr %r3,%r5
	alr %r2,%r5
	-6: lgr %r5,%r3 # copy remaining size
	+6: lr %r5,%r3 # copy remaining size
	ahi %r5,-1 # subtract 1 for xc loop
	bras %r4,8f
	- xc 0(1,%2),0(%2)
	-7: xc 0(256,%2),0(%2)
	+ xc 0(1,%r2),0(%r2)
	+7: xc 0(256,%r2),0(%r2)
	la %r2,256(%r2)
	-8: ahji %r5,-256
	+8: ahi %r5,-256
	jnm 7b
	- ex %r5,0(%r2)
	+ ex %r5,0(%r4)
	9: lr %r2,%r3
	br %r14
	.section __ex_table,"a"