[PATCH] score: fix off-by-one index into syscall table

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Dan Rosenberg <drosenberg@vsecurity.com>
To: liqin.chen@sunplusct.com, lennox.wu@gmail.com
Cc: linux-kernel@vger.kernel.org, security@kernel.org
Subject: [PATCH] score: fix off-by-one index into syscall table
Date: Fri, 06 Jan 2012 08:21:26 -0500	[thread overview]
Message-ID: <1325856086.17441.27.camel@osiris> (raw)

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.  Whether or not this is a security bug depends on
what the compiler puts immediately after the system call table.  It's
likely that this won't do anything bad because there is an additional
NULL check on the syscall entry, but if there happens to be a non-NULL
value immediately after the system call table, this may result in local
privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Cc: security@kernel.org
---
 arch/score/kernel/entry.S |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
index 577abba..83bb960 100644
--- a/arch/score/kernel/entry.S
+++ b/arch/score/kernel/entry.S
@@ -408,7 +408,7 @@ ENTRY(handle_sys)
 	sw	r9, [r0, PT_EPC]

 	cmpi.c	r27, __NR_syscalls 	# check syscall number
-	bgtu	illegal_syscall
+	bgeu	illegal_syscall

 	slli	r8, r27, 2		# get syscall routine
 	la	r11, sys_call_table

next             reply	other threads:[~2012-01-06 13:28 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-01-06 13:21 Dan Rosenberg [this message]
2012-01-10  6:40 ` [PATCH] score: fix off-by-one index into syscall table Eugene Teo
2012-01-10  6:55   ` Eugene Teo
2012-01-10 16:10     ` Lennox Wu

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:577abba dfblob:83bb960 )
 OR (
bs:"[PATCH] score: fix off-by-one index into syscall table" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1325856086.17441.27.camel@osiris \
    --to=drosenberg@vsecurity.com \
    --cc=lennox.wu@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=liqin.chen@sunplusct.com \
    --cc=security@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox