| From 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc Mon Sep 17 00:00:00 2001 |
| From: Vineet Gupta <vgupta@synopsys.com> |
| Date: Fri, 23 Apr 2021 12:16:25 -0700 |
| Subject: ARC: entry: fix off-by-one error in syscall number validation |
| |
| From: Vineet Gupta <vgupta@synopsys.com> |
| |
| commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. |
| |
| We have NR_syscall syscalls from [0 .. NR_syscall-1]. |
| However the check for invalid syscall number is "> NR_syscall" as |
| opposed to >=. This off-by-one error erronesously allows "NR_syscall" |
| to be treated as valid syscall causeing out-of-bounds access into |
| syscall-call table ensuing a crash (holes within syscall table have a |
| invalid-entry handler but this is beyond the array implementing the |
| table). |
| |
| This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 |
| kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has |
| NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was |
| not handled as -ENOSYS but processed leading to a crash. |
| |
| Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 |
| Reported-by: Shahab Vahedi <shahab@synopsys.com> |
| Cc: <stable@vger.kernel.org> |
| Signed-off-by: Vineet Gupta <vgupta@synopsys.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/arc/kernel/entry.S | 4 ++-- |
| 1 file changed, 2 insertions(+), 2 deletions(-) |
| |
| --- a/arch/arc/kernel/entry.S |
| +++ b/arch/arc/kernel/entry.S |
| @@ -177,7 +177,7 @@ tracesys: |
| |
| ; Do the Sys Call as we normally would. |
| ; Validate the Sys Call number |
| - cmp r8, NR_syscalls |
| + cmp r8, NR_syscalls - 1 |
| mov.hi r0, -ENOSYS |
| bhi tracesys_exit |
| |
| @@ -255,7 +255,7 @@ ENTRY(EV_Trap) |
| ;============ Normal syscall case |
| |
| ; syscall num shd not exceed the total system calls avail |
| - cmp r8, NR_syscalls |
| + cmp r8, NR_syscalls - 1 |
| mov.hi r0, -ENOSYS |
| bhi .Lret_from_system_call |
| |