3d6e48f433
When running a 31-bit ptrace, on either an s390 or s390x kernel, reads and writes into a padding area in struct user_regs_struct32 will result in a kernel panic. This is also known as CVE-2008-1514. Test case available here: http://sources.redhat.com/cgi-bin/cvsweb.cgi/~checkout~/tests/ptrace-tests/tests/user-area-padding.c?cvsroot=systemtap Steps to reproduce: 1) wget the above 2) gcc -o user-area-padding-31bit user-area-padding.c -Wall -ggdb2 -D_GNU_SOURCE -m31 3) ./user-area-padding-31bit <panic> Test status ----------- Without patch, both s390 and s390x kernels panic. With patch, the test case, as well as the gdb testsuite, pass without incident, padding area reads returning zero, writes ignored. Nb: original version returned -EINVAL on write attempts, which broke the gdb test and made the test case slightly unhappy, Jan Kratochvil suggested the change to return 0 on write attempts. Signed-off-by: Jarod Wilson <jarod@redhat.com> Tested-by: Jan Kratochvil <jan.kratochvil@redhat.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> |
||
|---|---|---|
| .. | ||
| Makefile | ||
| asm-offsets.c | ||
| audit.c | ||
| audit.h | ||
| base.S | ||
| bitmap.S | ||
| compat_audit.c | ||
| compat_exec_domain.c | ||
| compat_linux.c | ||
| compat_linux.h | ||
| compat_ptrace.h | ||
| compat_signal.c | ||
| compat_wrapper.S | ||
| cpcmd.c | ||
| crash.c | ||
| debug.c | ||
| diag.c | ||
| dis.c | ||
| early.c | ||
| ebcdic.c | ||
| entry.S | ||
| entry.h | ||
| entry64.S | ||
| head.S | ||
| head31.S | ||
| head64.S | ||
| init_task.c | ||
| ipl.c | ||
| irq.c | ||
| kprobes.c | ||
| machine_kexec.c | ||
| mem_detect.c | ||
| module.c | ||
| process.c | ||
| ptrace.c | ||
| reipl.S | ||
| reipl64.S | ||
| relocate_kernel.S | ||
| relocate_kernel64.S | ||
| s390_ext.c | ||
| s390_ksyms.c | ||
| setup.c | ||
| signal.c | ||
| smp.c | ||
| stacktrace.c | ||
| sys_s390.c | ||
| syscalls.S | ||
| time.c | ||
| topology.c | ||
| traps.c | ||
| vmlinux.lds.S | ||
| vtime.c | ||