From: David Daney <ddaney@caviumnetworks.com>
To: linux-mips <linux-mips@linux-mips.org>
Cc: "Malov, Vlad" <Vlad.Malov@caviumnetworks.com>
Subject: [PATCH] MIPS: Check the range of the syscall number for o32 syscall on 64bit kernel.
Date: Thu, 30 Oct 2008 17:11:43 -0700 [thread overview]
Message-ID: <490A4D3F.10700@caviumnetworks.com> (raw)
From: Vlad Malov <Vlad.Malov@caviumnetworks.com>
On a 64 bit kernel if an o32 syscall was made with a syscall number
less than 4000, we would read the function from outside of the bounds
of the syscall table. This led to non-deterministic behavior
including system crashes.
While we were at it we reworked the 32 bit version as well to use
fewer instructions.
Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
---
arch/mips/kernel/scall32-o32.S | 9 ++++-----
arch/mips/kernel/scall64-o32.S | 14 +++++++-------
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index 759f680..e638363 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -260,16 +260,15 @@ bad_alignment:
END(sys_sysmips)
LEAF(sys_syscall)
+ .set noreorder
subu t0, a0, __NR_O32_Linux # check syscall number
- sltiu v0, t0, __NR_O32_Linux_syscalls + 1
+ beqz t0, einval # do not recurse
+ sltu v0, t0, __NR_O32_Linux_syscalls + 1
sll t1, t0, 3
beqz v0, einval
-
+ .set reorder
lw t2, sys_call_table(t1) # syscall routine
- li v1, 4000 - __NR_O32_Linux # index of sys_syscall
- beq t0, v1, einval # do not recurse
-
/* Some syscalls like execve get their arguments from struct pt_regs
and claim zero arguments in the syscall table. Thus we have to
assume the worst case and shuffle around all potential arguments.
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef83..d8b3cb1 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,14 @@ not_o32_scall:
END(handle_sys)
LEAF(sys32_syscall)
- sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+ .set noreorder
+ subu t0, a0, __NR_O32_Linux # check syscall number
+ beqz t0, einval # do not recurse
+ sltu v0, t0, __NR_O32_Linux_syscalls + 1
+ dsll t1, t0, 3
beqz v0, einval
-
- dsll v0, a0, 3
- ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
- li v1, 4000 # indirect syscall number
- beq a0, v1, einval # do not recurse
+ .set reorder
+ lw t2, sys_call_table(t1) # syscall routine
move a0, a1 # shift argument registers
move a1, a2
next reply other threads:[~2008-10-31 0:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-31 0:11 David Daney [this message]
2008-10-31 0:47 ` [PATCH] MIPS: Check the range of the syscall number for o32 syscall on 64bit kernel David Daney
2008-10-31 14:17 ` Maciej W. Rozycki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=490A4D3F.10700@caviumnetworks.com \
--to=ddaney@caviumnetworks.com \
--cc=Vlad.Malov@caviumnetworks.com \
--cc=linux-mips@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox