From: David Daney <ddaney@caviumnetworks.com>
To: linux-mips <linux-mips@linux-mips.org>
Cc: "Malov, Vlad" <Vlad.Malov@caviumnetworks.com>
Subject: [PATCH] MIPS: Check the range of the syscall number for o32 syscall on 64bit kernel.
Date: Thu, 30 Oct 2008 17:11:43 -0700 [thread overview]
Message-ID: <490A4D3F.10700@caviumnetworks.com> (raw)
From: Vlad Malov <Vlad.Malov@caviumnetworks.com>
On a 64 bit kernel if an o32 syscall was made with a syscall number
less than 4000, we would read the function from outside of the bounds
of the syscall table. This led to non-deterministic behavior
including system crashes.
While we were at it we reworked the 32 bit version as well to use
fewer instructions.
Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
---
arch/mips/kernel/scall32-o32.S | 9 ++++-----
arch/mips/kernel/scall64-o32.S | 14 +++++++-------
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index 759f680..e638363 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -260,16 +260,15 @@ bad_alignment:
END(sys_sysmips)
LEAF(sys_syscall)
+ .set noreorder
subu t0, a0, __NR_O32_Linux # check syscall number
- sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ beqz t0, einval # do not recurse
+ sltu v0, t0, __NR_O32_Linux_syscalls + 1
sll t1, t0, 3
beqz v0, einval
-
+ .set reorder
lw t2, sys_call_table(t1) # syscall routine
- li v1, 4000 - __NR_O32_Linux # index of sys_syscall
- beq t0, v1, einval # do not recurse
-
/* Some syscalls like execve get their arguments from struct pt_regs
and claim zero arguments in the syscall table. Thus we have to
assume the worst case and shuffle around all potential arguments.
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef83..d8b3cb1 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,14 @@ not_o32_scall:
END(handle_sys)
LEAF(sys32_syscall)
- sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+ .set noreorder
+ subu t0, a0, __NR_O32_Linux # check syscall number
+ beqz t0, einval # do not recurse
+ sltu v0, t0, __NR_O32_Linux_syscalls + 1
+ dsll t1, t0, 3
beqz v0, einval
-
- dsll v0, a0, 3
- ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
- li v1, 4000 # indirect syscall number
- beq a0, v1, einval # do not recurse
+ .set reorder
+ lw t2, sys_call_table(t1) # syscall routine
move a0, a1 # shift argument registers
move a1, a2
next reply other threads:[~2008-10-31 0:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-31 0:11 David Daney [this message]
2008-10-31 0:47 ` [PATCH] MIPS: Check the range of the syscall number for o32 syscall on 64bit kernel David Daney
2008-10-31 14:17 ` Maciej W. Rozycki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=490A4D3F.10700@caviumnetworks.com \
--to=ddaney@caviumnetworks.com \
--cc=Vlad.Malov@caviumnetworks.com \
--cc=linux-mips@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.