* [PATCH] MIPS: Fix potential DOS by untrusted user app.
@ 2008-11-18 23:05 David Daney
2008-11-25 0:26 ` Ralf Baechle
0 siblings, 1 reply; 2+ messages in thread
From: David Daney @ 2008-11-18 23:05 UTC (permalink / raw)
To: linux-mips; +Cc: Malov, Vlad
From: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Fix potential DOS by untrusted user app.
Version 3: Fix stupid typo I introduced. This version has received
extensive testing with the LTP where it fixes kernel crashes.
On a 64 bit kernel if an o32 syscall was made with a syscall number
less than 4000, we would read the function from outside of the bounds
of the syscall table. This led to non-deterministic behavior
including system crashes.
While we were at it we reworked the 32 bit version as well to use
fewer instructions. Both 32 and 64 bit versions are use the same code
now.
This version two should address the concerns Maciej raised. gas seems
to expand this instruction ordering with no nops in the delay slots.
Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
---
arch/mips/kernel/scall32-o32.S | 5 +----
arch/mips/kernel/scall64-o32.S | 12 +++++-------
2 files changed, 6 insertions(+), 11 deletions(-)
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index 759f680..34a4dbd 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -262,14 +262,11 @@ bad_alignment:
LEAF(sys_syscall)
subu t0, a0, __NR_O32_Linux # check syscall number
sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ beqz t0, einval # do not recurse
sll t1, t0, 3
beqz v0, einval
-
lw t2, sys_call_table(t1) # syscall routine
- li v1, 4000 - __NR_O32_Linux # index of sys_syscall
- beq t0, v1, einval # do not recurse
-
/* Some syscalls like execve get their arguments from struct pt_regs
and claim zero arguments in the syscall table. Thus we have to
assume the worst case and shuffle around all potential arguments.
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef83..facb41a 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
END(handle_sys)
LEAF(sys32_syscall)
- sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+ subu t0, a0, __NR_O32_Linux # check syscall number
+ sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ beqz t0, einval # do not recurse
+ dsll t1, t0, 3
beqz v0, einval
-
- dsll v0, a0, 3
- ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
- li v1, 4000 # indirect syscall number
- beq a0, v1, einval # do not recurse
+ ld t2, sys_call_table(t1) # syscall routine
move a0, a1 # shift argument registers
move a1, a2
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] MIPS: Fix potential DOS by untrusted user app.
2008-11-18 23:05 [PATCH] MIPS: Fix potential DOS by untrusted user app David Daney
@ 2008-11-25 0:26 ` Ralf Baechle
0 siblings, 0 replies; 2+ messages in thread
From: Ralf Baechle @ 2008-11-25 0:26 UTC (permalink / raw)
To: David Daney; +Cc: linux-mips, Malov, Vlad
On Tue, Nov 18, 2008 at 03:05:46PM -0800, David Daney wrote:
Thanks, applied.
Ralf
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-11-25 0:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-11-18 23:05 [PATCH] MIPS: Fix potential DOS by untrusted user app David Daney
2008-11-25 0:26 ` Ralf Baechle
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.