diff options
author | Vineet Gupta <vgupta@synopsys.com> | 2021-04-23 21:16:25 +0200 |
---|---|---|
committer | Vineet Gupta <vgupta@synopsys.com> | 2021-05-10 21:38:59 +0200 |
commit | 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc (patch) | |
tree | 76a2d371c15467b0232ad70e6addcba85dddcac1 /arch/arc/kernel/entry.S | |
parent | ARC: kgdb: add 'fallthrough' to prevent a warning (diff) | |
download | linux-3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc.tar.xz linux-3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc.zip |
ARC: entry: fix off-by-one error in syscall number validation
We have NR_syscall syscalls from [0 .. NR_syscall-1].
However the check for invalid syscall number is "> NR_syscall" as
opposed to >=. This off-by-one error erronesously allows "NR_syscall"
to be treated as valid syscall causeing out-of-bounds access into
syscall-call table ensuing a crash (holes within syscall table have a
invalid-entry handler but this is beyond the array implementing the
table).
This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10
kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has
NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was
not handled as -ENOSYS but processed leading to a crash.
Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48
Reported-by: Shahab Vahedi <shahab@synopsys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>
Diffstat (limited to 'arch/arc/kernel/entry.S')
-rw-r--r-- | arch/arc/kernel/entry.S | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/arch/arc/kernel/entry.S b/arch/arc/kernel/entry.S index 1743506081da..2cb8dfe866b6 100644 --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -177,7 +177,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -255,7 +255,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call |