Skip to content

Commit 43725bd

Browse files
author
CKI Backport Bot
committed
s390/sclp: Fix SCCB present check
JIRA: https://issues.redhat.com/browse/RHEL-113557 CVE: CVE-2025-39694 Y-Commit: 430fa71 s390/sclp: Fix SCCB present check Tracing code called by the SCLP interrupt handler contains early exits if the SCCB address associated with an interrupt is NULL. This check is performed after physical to virtual address translation. If the kernel identity mapping does not start at address zero, the resulting virtual address is never zero, so that the NULL checks won't work. Subsequently this may result in incorrect accesses to the first page of the identity mapping. Fix this by introducing a function that handles the NULL case before address translation. Fixes: ada1da3 ("s390/sclp: sort out physical vs virtual pointers usage") Cc: [email protected] Reviewed-by: Alexander Gordeev <[email protected]> Signed-off-by: Peter Oberparleiter <[email protected]> Signed-off-by: Alexander Gordeev <[email protected]> (cherry picked from commit 430fa71) Signed-off-by: CKI Backport Bot <[email protected]>
1 parent 253fc23 commit 43725bd

File tree

1 file changed

+9
-2
lines changed

1 file changed

+9
-2
lines changed

drivers/s390/char/sclp.c

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,13 @@ unsigned long sclp_console_full;
7676
/* The currently active SCLP command word. */
7777
static sclp_cmdw_t active_cmd;
7878

79+
static inline struct sccb_header *sclpint_to_sccb(u32 sccb_int)
80+
{
81+
if (sccb_int)
82+
return __va(sccb_int);
83+
return NULL;
84+
}
85+
7986
static inline void sclp_trace(int prio, char *id, u32 a, u64 b, bool err)
8087
{
8188
struct sclp_trace_entry e;
@@ -620,7 +627,7 @@ __sclp_find_req(u32 sccb)
620627

621628
static bool ok_response(u32 sccb_int, sclp_cmdw_t cmd)
622629
{
623-
struct sccb_header *sccb = (struct sccb_header *)__va(sccb_int);
630+
struct sccb_header *sccb = sclpint_to_sccb(sccb_int);
624631
struct evbuf_header *evbuf;
625632
u16 response;
626633

@@ -659,7 +666,7 @@ static void sclp_interrupt_handler(struct ext_code ext_code,
659666

660667
/* INT: Interrupt received (a=intparm, b=cmd) */
661668
sclp_trace_sccb(0, "INT", param32, active_cmd, active_cmd,
662-
(struct sccb_header *)__va(finished_sccb),
669+
sclpint_to_sccb(finished_sccb),
663670
!ok_response(finished_sccb, active_cmd));
664671

665672
if (finished_sccb) {

0 commit comments

Comments
 (0)