aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDan Rosenberg <drosenberg@vsecurity.com>2012-01-20 14:34:27 -0800
committerGreg Kroah-Hartman <gregkh@suse.de>2012-01-25 13:53:25 -0800
commit18105e188320040b4ebdce3ac4231d719b61aedf (patch)
treef702b38a92c1905c5e836b594bfb71c4d24db436
parent751153cccad7b285060c11af30379fcf599dc625 (diff)
score: fix off-by-one index into syscall table
commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream. If the provided system call number is equal to __NR_syscalls, the current check will pass and a function pointer just after the system call table may be called, since sys_call_table is an array with total size __NR_syscalls. Whether or not this is a security bug depends on what the compiler puts immediately after the system call table. It's likely that this won't do anything bad because there is an additional NULL check on the syscall entry, but if there happens to be a non-NULL value immediately after the system call table, this may result in local privilege escalation. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: Chen Liqin <liqin.chen@sunplusct.com> Cc: Lennox Wu <lennox.wu@gmail.com> Cc: Eugene Teo <eugeneteo@kernel.sg> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r--arch/score/kernel/entry.S2
1 files changed, 1 insertions, 1 deletions
diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
index 577abba3fac..83bb96079c4 100644
--- a/arch/score/kernel/entry.S
+++ b/arch/score/kernel/entry.S
@@ -408,7 +408,7 @@ ENTRY(handle_sys)
sw r9, [r0, PT_EPC]
cmpi.c r27, __NR_syscalls # check syscall number
- bgtu illegal_syscall
+ bgeu illegal_syscall
slli r8, r27, 2 # get syscall routine
la r11, sys_call_table