Re: CAN-2004-0887
> I presume, then, that a signal handler could be called, but > instead of code getting executed in home space, code would > get executed in primary space instead. If a carefully > crafted signal handler address was created then the code > actually executed could put the user space in root mode ?? Kernel code would get executed with the user registers set up for the signal handler. By taking careful aim with the help of a kernel listing, a malicious user program could have done ugly things. This is fixed in BitKeeper since yesterday, see ChangeSet 1.2091. > I suppose what I am really trying to understand a little better > is how s390 linux works. This is what I'm guessing: > 1) userland runs in home space mode > 2) kernel runs in primary space mode, uses mvcs/mvcp to > copy between kernel and userland > 3) syscall is implemented using the svc instruction > 4) cow is implementing by forcing program interrupt 0x04 > on write Yes, yes, yes and yes. blue skies, Martin Martin Schwidefsky Linux for zSeries Development & Services IBM Deutschland Entwicklung GmbH -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CAN-2004-0887
Martin Schwidefsky wrote: CAN-2004-0887 is a local root exploit specific to s390. The only affected distro is SLES9 and they have a security update in place. Do you need to know anything more specific ? Thanks Martin. I was curious how the exploit worked. Your patch adds a new handler for program interrupt 0x1c (space-switch) where you make sure a saved problem state psw is in home space mode: + regs->psw.mask |= PSW_ASC_HOME; So it looks like problem state (user?) code should always run in home space mode. If sacf is issued to switch out of home space mode then the psw is updated accordingly, however if the space-switch-event is on in cr1 or cr13 then a 0x1c interrupt will occur (looks like this bit is always on in cr13). Before the patch, a problem state program could issue sacf to get out of home space mode and then a 0x1c program interrupt occurs and do_trap(SIGILL) is performed but regs->psw has the wrong address-space-control bits. I presume, then, that a signal handler could be called, but instead of code getting executed in home space, code would get executed in primary space instead. If a carefully crafted signal handler address was created then the code actually executed could put the user space in root mode ?? I suppose what I am really trying to understand a little better is how s390 linux works. This is what I'm guessing: 1) userland runs in home space mode 2) kernel runs in primary space mode, uses mvcs/mvcp to copy between kernel and userland 3) syscall is implemented using the svc instruction 4) cow is implementing by forcing program interrupt 0x04 on write Greg Smith -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CAN-2004-0887
Hi Greg, > Can't find any info on this but it is mentioned here: > http://www.ussg.iu.edu/hypermail/linux/kernel/0410.2/2264.html CAN-2004-0887 is a local root exploit specific to s390. The only affected distro is SLES9 and they have a security update in place. Do you need to know anything more specific ? blue skies, Martin Martin Schwidefsky Linux for zSeries Development & Services IBM Deutschland Entwicklung GmbH -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: CAN-2004-0887
Check the code drop of 2004-10-21. I think it may be related to this. Neale -Original Message- Can't find any info on this but it is mentioned here: http://www.ussg.iu.edu/hypermail/linux/kernel/0410.2/2264.html -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
CAN-2004-0887
Can't find any info on this but it is mentioned here: http://www.ussg.iu.edu/hypermail/linux/kernel/0410.2/2264.html Greg -- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390