Repoke. I think I'll go ahead and put this into our tree & revert if it causes problems.
hey Bastian, CAN-2004-0887 is fixed in our 2.6.8: * [SECURITY] s390: Fix for local root exploit: Force user process back to home space mode in space switch event exception handler. (CAN-2004-0887) (Bastian Blank) The vulnerable code looks to be present in 2.4.27 as well, but I don't see a patch in either kernel-source-2.4.27 or the s390 patch package. I've tried my hand at porting it (below). Should we apply it? If so, where is the proper place to submit it upstream - direct to lkml/Marcelo? --- kernel-source-2.4.27/arch/s390/kernel/traps.c.orig 2006-01-16 19:31:12.000000000 -0700 +++ kernel-source-2.4.27/arch/s390/kernel/traps.c 2006-01-16 19:32:12.000000000 -0700 @@ -622,6 +622,20 @@ } } +asmlinkage void space_switch_exception(struct pt_regs * regs, long int_code) +{ + siginfo_t info; + + /* Set user psw back to home space mode. */ + if (regs->psw.mask & PSW_MASK_PSTATE) + regs->psw.mask |= PSW_ASC_HOME; + /* Send SIGILL. */ + info.si_signo = SIGILL; + info.si_errno = 0; + info.si_code = ILL_PRVOPC; + info.si_addr = get_check_address(regs); + do_trap(int_code, SIGILL, "space switch event", regs, &info); +} /* init is done in lowcore.S and head.S */ @@ -646,7 +660,7 @@ pgm_check_table[0x13] = &special_op_exception; pgm_check_table[0x14] = &do_pseudo_page_fault; pgm_check_table[0x15] = &operand_exception; - pgm_check_table[0x1C] = &privileged_op; + pgm_check_table[0x1C] = &space_switch_exception; #if defined (CONFIG_VIRT_TIMER) || defined (CONFIG_NO_IDLE_HZ) pgm_check_table[0x40] = &do_monitor_call; #endif -- dann frazier <[EMAIL PROTECTED]> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]