提交 c25a785d 编写于 作者: D Dan Rosenberg 提交者: Linus Torvalds

score: fix off-by-one index into syscall table

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table.  It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.
Signed-off-by: NDan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: NAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
上级 9f9f1acd
...@@ -408,7 +408,7 @@ ENTRY(handle_sys) ...@@ -408,7 +408,7 @@ ENTRY(handle_sys)
sw r9, [r0, PT_EPC] sw r9, [r0, PT_EPC]
cmpi.c r27, __NR_syscalls # check syscall number cmpi.c r27, __NR_syscalls # check syscall number
bgtu illegal_syscall bgeu illegal_syscall
slli r8, r27, 2 # get syscall routine slli r8, r27, 2 # get syscall routine
la r11, sys_call_table la r11, sys_call_table
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册