From 8dccc8a21a8ca6c9eb73980fbe021aeece84d2c5 Mon Sep 17 00:00:00 2001 From: maximilian attems Date: Sun, 5 Nov 2006 19:32:09 +0000 Subject: [PATCH] rerevert s390 2.6.18.1 revert, add upstream fix2 for the copy_from_user mem padding svn path=/dists/trunk/linux-2.6/; revision=7696 --- debian/changelog | 9 +++ .../s390-copy_from_user_padding_take2.patch | 70 +++++++++++++++++++ debian/patches/series/5 | 2 + 3 files changed, 81 insertions(+) create mode 100644 debian/patches/bugfix/s390-copy_from_user_padding_take2.patch create mode 100644 debian/patches/series/5 diff --git a/debian/changelog b/debian/changelog index 14ca432ee..e47bd60dc 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,12 @@ +linux-2.6 (2.6.18-5) UNRELEASE; urgency=low + + * [s390] readd the fix for ""S390: user readable uninitialised kernel memory + (CVE-2006-5174)" + * [s390] temorarly add patch queued for 2.6.18.3 fixing 32 bit opcodes and + instructions. + + -- maximilian attems Sun, 5 Nov 2006 20:26:11 +0100 + linux-2.6 (2.6.18-4) unstable; urgency=low [ Norbert Tretkowski ] diff --git a/debian/patches/bugfix/s390-copy_from_user_padding_take2.patch b/debian/patches/bugfix/s390-copy_from_user_padding_take2.patch new file mode 100644 index 000000000..9d22b935c --- /dev/null +++ b/debian/patches/bugfix/s390-copy_from_user_padding_take2.patch @@ -0,0 +1,70 @@ +From chrisw@sous-sol.org Sun Nov 5 20:18:14 2006 +From: Chris Wright +To: maximilian attems +Cc: heiko.carstens@de.ibm.com, linux390@de.ibm.com, + debian-kernel@lists.debian.org, stable@kernel.org +Subject: Re: [stable] s390 2.6.18.2 debian build failure + +* maximilian attems (maks@sternwelten.at) wrote: +> as a future datapoint the problematic patch is from 2.6.18.1: +> [S390] user readable uninitialised kernel memory. + +This should fix that up, and is queued for next -stable. + +thanks, +-chris +-- +From: Martin Schwidefsky + +[S390] user readable uninitialised kernel memory, take 2. + +The previous patch to correct the copy_from_user padding is quite +broken. The execute instruction needs to be done via the register %r4, +not via %r2 and 31 bit doesn't know the instructions lgr and ahji. + +Signed-off-by: Martin Schwidefsky + + +Signed-off-by: Martin Schwidefsky +--- + arch/s390/lib/uaccess.S | 10 +++++----- + arch/s390/lib/uaccess64.S | 2 +- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess64.S linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S +--- linux-2.6.18.1/arch/s390/lib/uaccess64.S 2006-10-14 05:34:03.000000000 +0200 ++++ linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S 2006-10-17 13:21:20.000000000 +0200 +@@ -49,7 +49,7 @@ __copy_from_user_asm: + la %r2,256(%r2) + 8: aghi %r5,-256 + jnm 7b +- ex %r5,0(%r2) ++ ex %r5,0(%r4) + 9: lgr %r2,%r3 + br %r14 + .section __ex_table,"a" +diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess.S linux-2.6.18.1-s390/arch/s390/lib/uaccess.S +--- linux-2.6.18.1/arch/s390/lib/uaccess.S 2006-10-14 05:34:03.000000000 +0200 ++++ linux-2.6.18.1-s390/arch/s390/lib/uaccess.S 2006-10-17 13:21:06.000000000 +0200 +@@ -41,15 +41,15 @@ __copy_from_user_asm: + 5: mvcp 0(%r5,%r2),0(%r4),%r0 + slr %r3,%r5 + alr %r2,%r5 +-6: lgr %r5,%r3 # copy remaining size ++6: lr %r5,%r3 # copy remaining size + ahi %r5,-1 # subtract 1 for xc loop + bras %r4,8f +- xc 0(1,%2),0(%2) +-7: xc 0(256,%2),0(%2) ++ xc 0(1,%r2),0(%r2) ++7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +-8: ahji %r5,-256 ++8: ahi %r5,-256 + jnm 7b +- ex %r5,0(%r2) ++ ex %r5,0(%r4) + 9: lr %r2,%r3 + br %r14 + .section __ex_table,"a" + diff --git a/debian/patches/series/5 b/debian/patches/series/5 new file mode 100644 index 000000000..79b7e6d7b --- /dev/null +++ b/debian/patches/series/5 @@ -0,0 +1,2 @@ +- bugfix/s390-ftbfs-2.6.18.1.patch ++ bugfix/s390-copy_from_user_padding_take2.patch