| From 9071fdac1647bc35db7796bc58d92ed2d1de7013 Mon Sep 17 00:00:00 2001 |
| From: Dan Rosenberg <drosenberg@vsecurity.com> |
| Date: Fri, 20 Jan 2012 14:34:27 -0800 |
| Subject: [PATCH] score: fix off-by-one index into syscall table |
| |
| commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream. |
| |
| If the provided system call number is equal to __NR_syscalls, the |
| current check will pass and a function pointer just after the system |
| call table may be called, since sys_call_table is an array with total |
| size __NR_syscalls. |
| |
| Whether or not this is a security bug depends on what the compiler puts |
| immediately after the system call table. It's likely that this won't do |
| anything bad because there is an additional NULL check on the syscall |
| entry, but if there happens to be a non-NULL value immediately after the |
| system call table, this may result in local privilege escalation. |
| |
| Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> |
| Cc: <stable@vger.kernel.org> |
| Cc: Chen Liqin <liqin.chen@sunplusct.com> |
| Cc: Lennox Wu <lennox.wu@gmail.com> |
| Cc: Eugene Teo <eugeneteo@kernel.sg> |
| Cc: Arnd Bergmann <arnd@arndb.de> |
| Signed-off-by: Andrew Morton <akpm@linux-foundation.org> |
| Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| --- |
| arch/score/kernel/entry.S | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S |
| index 577abba..83bb960 100644 |
| --- a/arch/score/kernel/entry.S |
| +++ b/arch/score/kernel/entry.S |
| @@ -408,7 +408,7 @@ ENTRY(handle_sys) |
| sw r9, [r0, PT_EPC] |
| |
| cmpi.c r27, __NR_syscalls # check syscall number |
| - bgtu illegal_syscall |
| + bgeu illegal_syscall |
| |
| slli r8, r27, 2 # get syscall routine |
| la r11, sys_call_table |
| -- |
| 1.7.9.6 |
| |
