S390: user readable uninitialised kernel memory (CVE-2006-5174)

[S390] user readable uninitialised kernel memory.

A user space program can read uninitialised kernel memory
by appending to a file from a bad address and then reading
the result back. The cause is the copy_from_user function
that does not clear the remaining bytes of the kernel
buffer after it got a fault on the user space address.
Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

arch/s390/lib/uaccess.S

@@ -40,7 +40,17 @@ __copy_from_user_asm:
 	# move with the reduced length which is < 256
 5:	mvcp	0(%r5,%r2),0(%r4),%r0
 	slr	%r3,%r5
-6:	lr	%r2,%r3
+	alr	%r2,%r5
+6:	lgr	%r5,%r3		# copy remaining size
+	ahi	%r5,-1		# subtract 1 for xc loop
+	bras	%r4,8f
+	xc	0(1,%2),0(%2)
+7:	xc	0(256,%2),0(%2)
+	la	%r2,256(%r2)
+8:	ahji	%r5,-256
+	jnm	7b
+	ex	%r5,0(%r2)
+9:	lr	%r2,%r3
 	br	%r14
         .section __ex_table,"a"
 	.long	0b,4b

arch/s390/lib/uaccess64.S

@@ -40,7 +40,17 @@ __copy_from_user_asm:
 	# move with the reduced length which is < 256
 5:	mvcp	0(%r5,%r2),0(%r4),%r0
 	slgr	%r3,%r5
-6:	lgr	%r2,%r3
+	algr	%r2,%r5
+6:	lgr	%r5,%r3		# copy remaining size
+	aghi	%r5,-1		# subtract 1 for xc loop
+	bras	%r4,8f
+	xc	0(1,%r2),0(%r2)
+7:	xc	0(256,%r2),0(%r2)
+	la	%r2,256(%r2)
+8:	aghi	%r5,-256
+	jnm	7b
+	ex	%r5,0(%r2)
+9:	lgr	%r2,%r3
 	br	%r14
         .section __ex_table,"a"
 	.quad	0b,4b