Description: Kernel memory protection bypass on s390
References:
Notes:
 bwh> Martin Schwidefsky says this was introduced by commit fa968ee215c0
 bwh> ("s390/signal: set correct address space control").  It added the
 bwh> ASC (Address Space Control) processor status bits to those that
 bwh> must be restored on return from signals, but as a result they can
 bwh> also be set arbitrarily by ptrace.  This opens a vulnerability if
 bwh> the kernel parameter user_mode=primary is used.  Commit e258d719ff28
 bwh> ("s390/uaccess: always run the kernel in home space") made that
 bwh> the default (I think).
Bugs:
upstream: released (3.16-rc7) [dab6cf55f81a6e16b8147aed9a843e1691dcd318]
2.6.32-upstream-stable: N/A ("vulnerable code not present")
sid: released (3.14.13-2) [bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch]
3.2-wheezy-security: released (3.2.60-1+deb7u3) [bugfix/s390/s390-ptrace-fix-PSW-mask-check.patch]
2.6.32-squeeze-security: N/A ("vulnerable code not present")
3.2-upstream-stable: released (3.2.62) [s390-ptrace-fix-PSW-mask-check.patch]