* [PATCH] score: fix off-by-one index into syscall table
@ 2012-01-06 13:21 Dan Rosenberg
2012-01-10 6:40 ` Eugene Teo
0 siblings, 1 reply; 4+ messages in thread
From: Dan Rosenberg @ 2012-01-06 13:21 UTC (permalink / raw)
To: liqin.chen, lennox.wu; +Cc: linux-kernel, security
If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls. Whether or not this is a security bug depends on
what the compiler puts immediately after the system call table. It's
likely that this won't do anything bad because there is an additional
NULL check on the syscall entry, but if there happens to be a non-NULL
value immediately after the system call table, this may result in local
privilege escalation.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: stable@kernel.org
Cc: security@kernel.org
---
arch/score/kernel/entry.S | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
index 577abba..83bb960 100644
--- a/arch/score/kernel/entry.S
+++ b/arch/score/kernel/entry.S
@@ -408,7 +408,7 @@ ENTRY(handle_sys)
sw r9, [r0, PT_EPC]
cmpi.c r27, __NR_syscalls # check syscall number
- bgtu illegal_syscall
+ bgeu illegal_syscall
slli r8, r27, 2 # get syscall routine
la r11, sys_call_table
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] score: fix off-by-one index into syscall table
2012-01-06 13:21 [PATCH] score: fix off-by-one index into syscall table Dan Rosenberg
@ 2012-01-10 6:40 ` Eugene Teo
2012-01-10 6:55 ` Eugene Teo
0 siblings, 1 reply; 4+ messages in thread
From: Eugene Teo @ 2012-01-10 6:40 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: liqin.chen, lennox.wu, linux-kernel, security, arnd
Cc'ed arnd@arndb.de
ping
On Fri, Jan 6, 2012 at 9:21 PM, Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> If the provided system call number is equal to __NR_syscalls, the
> current check will pass and a function pointer just after the system
> call table may be called, since sys_call_table is an array with total
> size __NR_syscalls. Whether or not this is a security bug depends on
> what the compiler puts immediately after the system call table. It's
> likely that this won't do anything bad because there is an additional
> NULL check on the syscall entry, but if there happens to be a non-NULL
> value immediately after the system call table, this may result in local
> privilege escalation.
>
> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> Cc: stable@kernel.org
> Cc: security@kernel.org
> ---
> arch/score/kernel/entry.S | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
> index 577abba..83bb960 100644
> --- a/arch/score/kernel/entry.S
> +++ b/arch/score/kernel/entry.S
> @@ -408,7 +408,7 @@ ENTRY(handle_sys)
> sw r9, [r0, PT_EPC]
>
> cmpi.c r27, __NR_syscalls # check syscall number
> - bgtu illegal_syscall
> + bgeu illegal_syscall
>
> slli r8, r27, 2 # get syscall routine
> la r11, sys_call_table
>
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] score: fix off-by-one index into syscall table
2012-01-10 6:40 ` Eugene Teo
@ 2012-01-10 6:55 ` Eugene Teo
2012-01-10 16:10 ` Lennox Wu
0 siblings, 1 reply; 4+ messages in thread
From: Eugene Teo @ 2012-01-10 6:55 UTC (permalink / raw)
To: Dan Rosenberg; +Cc: liqin.chen, lennox.wu, linux-kernel, security, arnd
On Tue, Jan 10, 2012 at 2:40 PM, Eugene Teo <eugeneteo@kernel.sg> wrote:
> Cc'ed arnd@arndb.de
>
> ping
Liqin's work email bounced. I'm not sure if he is working on these
anymore. If not, the MAINTAINERS file needs to be updated.
> On Fri, Jan 6, 2012 at 9:21 PM, Dan Rosenberg <drosenberg@vsecurity.com> wrote:
>> If the provided system call number is equal to __NR_syscalls, the
>> current check will pass and a function pointer just after the system
>> call table may be called, since sys_call_table is an array with total
>> size __NR_syscalls. Whether or not this is a security bug depends on
>> what the compiler puts immediately after the system call table. It's
>> likely that this won't do anything bad because there is an additional
>> NULL check on the syscall entry, but if there happens to be a non-NULL
>> value immediately after the system call table, this may result in local
>> privilege escalation.
>>
>> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
>> Cc: stable@kernel.org
>> Cc: security@kernel.org
>> ---
>> arch/score/kernel/entry.S | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
>> index 577abba..83bb960 100644
>> --- a/arch/score/kernel/entry.S
>> +++ b/arch/score/kernel/entry.S
>> @@ -408,7 +408,7 @@ ENTRY(handle_sys)
>> sw r9, [r0, PT_EPC]
>>
>> cmpi.c r27, __NR_syscalls # check syscall number
>> - bgtu illegal_syscall
>> + bgeu illegal_syscall
>>
>> slli r8, r27, 2 # get syscall routine
>> la r11, sys_call_table
>>
>>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] score: fix off-by-one index into syscall table
2012-01-10 6:55 ` Eugene Teo
@ 2012-01-10 16:10 ` Lennox Wu
0 siblings, 0 replies; 4+ messages in thread
From: Lennox Wu @ 2012-01-10 16:10 UTC (permalink / raw)
To: Eugene Teo
Cc: Dan Rosenberg, liqin.chen, linux-kernel, security, arnd,
Liqin Chen
Dear all,
I will look the issue and update the informaion of MAINTAINERS.
Best,
Lennox
2012/1/10 Eugene Teo <eugeneteo@kernel.sg>
>
> On Tue, Jan 10, 2012 at 2:40 PM, Eugene Teo <eugeneteo@kernel.sg> wrote:
> > Cc'ed arnd@arndb.de
> >
> > ping
>
> Liqin's work email bounced. I'm not sure if he is working on these
> anymore. If not, the MAINTAINERS file needs to be updated.
>
> > On Fri, Jan 6, 2012 at 9:21 PM, Dan Rosenberg <drosenberg@vsecurity.com> wrote:
> >> If the provided system call number is equal to __NR_syscalls, the
> >> current check will pass and a function pointer just after the system
> >> call table may be called, since sys_call_table is an array with total
> >> size __NR_syscalls. Whether or not this is a security bug depends on
> >> what the compiler puts immediately after the system call table. It's
> >> likely that this won't do anything bad because there is an additional
> >> NULL check on the syscall entry, but if there happens to be a non-NULL
> >> value immediately after the system call table, this may result in local
> >> privilege escalation.
> >>
> >> Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
> >> Cc: stable@kernel.org
> >> Cc: security@kernel.org
> >> ---
> >> arch/score/kernel/entry.S | 2 +-
> >> 1 files changed, 1 insertions(+), 1 deletions(-)
> >>
> >> diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
> >> index 577abba..83bb960 100644
> >> --- a/arch/score/kernel/entry.S
> >> +++ b/arch/score/kernel/entry.S
> >> @@ -408,7 +408,7 @@ ENTRY(handle_sys)
> >> sw r9, [r0, PT_EPC]
> >>
> >> cmpi.c r27, __NR_syscalls # check syscall number
> >> - bgtu illegal_syscall
> >> + bgeu illegal_syscall
> >>
> >> slli r8, r27, 2 # get syscall routine
> >> la r11, sys_call_table
> >>
> >>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2012-01-10 16:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-01-06 13:21 [PATCH] score: fix off-by-one index into syscall table Dan Rosenberg
2012-01-10 6:40 ` Eugene Teo
2012-01-10 6:55 ` Eugene Teo
2012-01-10 16:10 ` Lennox Wu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox