[3.11.y.z extended stable] Patch "s390/uaccess: add missing page table walk range check" has been added to staging queue

Luis Henriques luis.henriques at canonical.com
Thu Dec 5 11:21:19 UTC 2013 

This is a note to let you know that I have just added a patch titled

    s390/uaccess: add missing page table walk range check

to the linux-3.11.y-queue branch of the 3.11.y.z extended stable tree 
which can be found at:

 http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.11.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.11.y.z tree, see
https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable

Thanks.
-Luis

------

>From 4cc25195b05613fc90e2d3e46c3e5a24464bfe3b Mon Sep 17 00:00:00 2001
From: Heiko Carstens <heiko.carstens at de.ibm.com>
Date: Thu, 21 Nov 2013 16:22:17 +0100
Subject: s390/uaccess: add missing page table walk range check

commit 71a86ef055f569b93bc6901f007bdf447dbf515f upstream.

When translating a user space address, the address must be checked against
the ASCE limit of the process. If the address is larger than the maximum
address that is reachable with the ASCE, an ASCE type exception must be
generated.

The current code simply ignored the higher order bits. This resulted in an
address wrap around in user space instead of an exception in user space.

Reviewed-by: Gerald Schaefer <gerald.schaefer at de.ibm.com>
Signed-off-by: Heiko Carstens <heiko.carstens at de.ibm.com>
Signed-off-by: Martin Schwidefsky <schwidefsky at de.ibm.com>
Signed-off-by: Luis Henriques <luis.henriques at canonical.com>
---
 arch/s390/lib/uaccess_pt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/s390/lib/uaccess_pt.c b/arch/s390/lib/uaccess_pt.c
index 50ea137..1bf40ef 100644
--- a/arch/s390/lib/uaccess_pt.c
+++ b/arch/s390/lib/uaccess_pt.c
@@ -78,11 +78,14 @@ static size_t copy_in_kernel(size_t count, void __user *to,
  * contains the (negative) exception code.
  */
 #ifdef CONFIG_64BIT
+
 static unsigned long follow_table(struct mm_struct *mm,
 				  unsigned long address, int write)
 {
 	unsigned long *table = (unsigned long *)__pa(mm->pgd);

+	if (unlikely(address > mm->context.asce_limit - 1))
+		return -0x38UL;
 	switch (mm->context.asce_bits & _ASCE_TYPE_MASK) {
 	case _ASCE_TYPE_REGION1:
 		table = table + ((address >> 53) & 0x7ff);
--
1.8.3.2

More information about the kernel-team mailing list