A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Adrian Bunk <bunk@stusta.de>
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slr %r3,%r5
-6: lr %r2,%r3
+ alr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ ahi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%2),0(%2)
+7: xc 0(256,%2),0(%2)
+ la %r2,256(%r2)
+8: ahji %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lr %r2,%r3
br %r14
.section __ex_table,"a"
.long 0b,4b
# move with the reduced length which is < 256
5: mvcp 0(%r5,%r2),0(%r4),%r0
slgr %r3,%r5
-6: lgr %r2,%r3
+ algr %r2,%r5
+6: lgr %r5,%r3 # copy remaining size
+ aghi %r5,-1 # subtract 1 for xc loop
+ bras %r4,8f
+ xc 0(1,%r2),0(%r2)
+7: xc 0(256,%r2),0(%r2)
+ la %r2,256(%r2)
+8: aghi %r5,-256
+ jnm 7b
+ ex %r5,0(%r2)
+9: lgr %r2,%r3
br %r14
.section __ex_table,"a"
.quad 0b,4b
projects / unionfs-2.6.39.y.git / commitdiff