From: David Daney <ddaney@caviumnetworks.com>
To: linux-mips <linux-mips@linux-mips.org>
Cc: "Malov, Vlad" <Vlad.Malov@caviumnetworks.com>
Subject: [PATCH] MIPS: Fix potential DOS by untrusted user app.
Date: Tue, 18 Nov 2008 15:05:46 -0800 [thread overview]
Message-ID: <49234A4A.2090707@caviumnetworks.com> (raw)
From: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Fix potential DOS by untrusted user app.
Version 3: Fix stupid typo I introduced. This version has received
extensive testing with the LTP where it fixes kernel crashes.
On a 64 bit kernel if an o32 syscall was made with a syscall number
less than 4000, we would read the function from outside of the bounds
of the syscall table. This led to non-deterministic behavior
including system crashes.
While we were at it we reworked the 32 bit version as well to use
fewer instructions. Both 32 and 64 bit versions are use the same code
now.
This version two should address the concerns Maciej raised. gas seems
to expand this instruction ordering with no nops in the delay slots.
Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
---
arch/mips/kernel/scall32-o32.S | 5 +----
arch/mips/kernel/scall64-o32.S | 12 +++++-------
2 files changed, 6 insertions(+), 11 deletions(-)
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index 759f680..34a4dbd 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -262,14 +262,11 @@ bad_alignment:
LEAF(sys_syscall)
subu t0, a0, __NR_O32_Linux # check syscall number
sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ beqz t0, einval # do not recurse
sll t1, t0, 3
beqz v0, einval
-
lw t2, sys_call_table(t1) # syscall routine
- li v1, 4000 - __NR_O32_Linux # index of sys_syscall
- beq t0, v1, einval # do not recurse
-
/* Some syscalls like execve get their arguments from struct pt_regs
and claim zero arguments in the syscall table. Thus we have to
assume the worst case and shuffle around all potential arguments.
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef83..facb41a 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
END(handle_sys)
LEAF(sys32_syscall)
- sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+ subu t0, a0, __NR_O32_Linux # check syscall number
+ sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ beqz t0, einval # do not recurse
+ dsll t1, t0, 3
beqz v0, einval
-
- dsll v0, a0, 3
- ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
- li v1, 4000 # indirect syscall number
- beq a0, v1, einval # do not recurse
+ ld t2, sys_call_table(t1) # syscall routine
move a0, a1 # shift argument registers
move a1, a2
next reply other threads:[~2008-11-18 23:06 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-18 23:05 David Daney [this message]
2008-11-25 0:26 ` [PATCH] MIPS: Fix potential DOS by untrusted user app Ralf Baechle
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49234A4A.2090707@caviumnetworks.com \
--to=ddaney@caviumnetworks.com \
--cc=Vlad.Malov@caviumnetworks.com \
--cc=linux-mips@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.