A user space program can read uninitialised kernel memory by appending to a file from a bad address and then reading the result back. The cause is the copy_from_user function that does not clear the remaining bytes of the kernel buffer after it got a fault on the user space address.
Patch in GIT might be wrong. The one below should be correct (sorry for the formatting). --- linux-2.6.18.1/arch/s390/lib/uaccess64.S 2006-10-17 13:26:32.000000000 +0200 +++ linux-2.6.18.1-s390/arch/s390/lib/uaccess64.S 2006-10-17 13:21:20.000000000 +0200 @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slgr %r3,%r5 -6: lgr %r2,%r3 + algr %r2,%r5 +6: lgr %r5,%r3 # copy remaining size + aghi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: aghi %r5,-256 + jnm 7b + ex %r5,0(%r4) +9: lgr %r2,%r3 br %r14 .section __ex_table,"a" .quad 0b,4b diff -urpN linux-2.6.18.1/arch/s390/lib/uaccess.S linux-2.6.18.1-s390/arch/s390/lib/uaccess.S --- linux-2.6.18.1/arch/s390/lib/uaccess.S 2006-10-17 13:26:32.000000000 +0200 +++ linux-2.6.18.1-s390/arch/s390/lib/uaccess.S 2006-10-17 13:21:06.000000000 +0200 @@ -40,7 +40,17 @@ __copy_from_user_asm: # move with the reduced length which is < 256 5: mvcp 0(%r5,%r2),0(%r4),%r0 slr %r3,%r5 -6: lr %r2,%r3 + alr %r2,%r5 +6: lr %r5,%r3 # copy remaining size + ahi %r5,-1 # subtract 1 for xc loop + bras %r4,8f + xc 0(1,%r2),0(%r2) +7: xc 0(256,%r2),0(%r2) + la %r2,256(%r2) +8: ahi %r5,-256 + jnm 7b + ex %r5,0(%r4) +9: lr %r2,%r3 br %r14 .section __ex_table,"a" .long 0b,4b
s390 is unsupported.
