From 40c17d6b3fa414ef3e9ef65af416de648ac2907c Mon Sep 17 00:00:00 2001 From: Aurelien Jarno Date: Thu, 24 Jul 2014 05:48:54 +0000 Subject: [PATCH] [s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534). svn path=/dists/sid/linux/; revision=21627 --- debian/changelog | 1 + .../s390/s390-ptrace-fix-PSW-mask-check.patch | 56 +++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 58 insertions(+) create mode 100644 debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch diff --git a/debian/changelog b/debian/changelog index cbd050366..d2557b228 100644 --- a/debian/changelog +++ b/debian/changelog @@ -12,6 +12,7 @@ linux (3.14.13-2) UNRELEASED; urgency=medium * [mipsel,mips64el/loongson-2e,2f] Enable CONFIG_RTC_DRV_CMOS as built-in. * [mips*] Add few new udebs and use standard udebs configuration when possible. + * [s390,s390x] ptrace: fix PSW mask check (CVE-2014-3534). -- Aurelien Jarno Mon, 21 Jul 2014 23:18:59 +0200 diff --git a/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch b/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch new file mode 100644 index 000000000..af6c8fb65 --- /dev/null +++ b/debian/patches/bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch @@ -0,0 +1,56 @@ +From: Martin Schwidefsky +Date: Mon, 23 Jun 2014 15:29:40 +0200 +Subject: s390/ptrace: fix PSW mask check +Origin: https://git.kernel.org/linus/dab6cf55f81a6e16b8147aed9a843e1691dcd318 + +The PSW mask check of the PTRACE_POKEUSR_AREA command is incorrect. +The PSW_MASK_USER define contains the PSW_MASK_ASC bits, the ptrace +interface accepts all combinations for the address-space-control +bits. To protect the kernel space the PSW mask check in ptrace needs +to reject the address-space-control bit combination for home space. + +Fixes CVE-2014-3534 + +Cc: stable@vger.kernel.org +Signed-off-by: Martin Schwidefsky +--- + arch/s390/kernel/ptrace.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c +index 2d716734..5dc7ad9 100644 +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -334,9 +334,14 @@ static int __poke_user(struct task_struct *child, addr_t addr, addr_t data) + unsigned long mask = PSW_MASK_USER; + + mask |= is_ri_task(child) ? PSW_MASK_RI : 0; +- if ((data & ~mask) != PSW_USER_BITS) ++ if ((data ^ PSW_USER_BITS) & ~mask) ++ /* Invalid psw mask. */ ++ return -EINVAL; ++ if ((data & PSW_MASK_ASC) == PSW_ASC_HOME) ++ /* Invalid address-space-control bits */ + return -EINVAL; + if ((data & PSW_MASK_EA) && !(data & PSW_MASK_BA)) ++ /* Invalid addressing mode bits */ + return -EINVAL; + } + *(addr_t *)((addr_t) &task_pt_regs(child)->psw + addr) = data; +@@ -672,9 +677,12 @@ static int __poke_user_compat(struct task_struct *child, + + mask |= is_ri_task(child) ? PSW32_MASK_RI : 0; + /* Build a 64 bit psw mask from 31 bit mask. */ +- if ((tmp & ~mask) != PSW32_USER_BITS) ++ if ((tmp ^ PSW32_USER_BITS) & ~mask) + /* Invalid psw mask. */ + return -EINVAL; ++ if ((data & PSW32_MASK_ASC) == PSW32_ASC_HOME) ++ /* Invalid address-space-control bits */ ++ return -EINVAL; + regs->psw.mask = (regs->psw.mask & ~PSW_MASK_USER) | + (regs->psw.mask & PSW_MASK_BA) | + (__u64)(tmp & mask) << 32; +-- +2.0.0 + diff --git a/debian/patches/series b/debian/patches/series index 06f465b46..e54e1a6d4 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -69,6 +69,7 @@ bugfix/all/misc-bmp085-Enable-building-as-a-module.patch bugfix/all/kbuild-use-nostdinc-in-compile-tests.patch bugfix/all/disable-some-marvell-phys.patch bugfix/all/bluetooth-allocate-static-minor-for-vhci.patch +bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch # Miscellaneous features features/all/x86-memtest-WARN-if-bad-RAM-found.patch