Skip to content

Commit

Permalink
score: fix off-by-one index into syscall table
Browse files Browse the repository at this point in the history 
If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table.  It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  • Loading branch information
Dan Rosenberg authored and Linus Torvalds committed Jan 23, 2012
1 parent 9f9f1ac commit c25a785
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion arch/score/kernel/entry.S
View file
Original file line number Diff line number Diff line change
Expand Up @@ -408,7 +408,7 @@ ENTRY(handle_sys)
sw r9, [r0, PT_EPC]

cmpi.c r27, __NR_syscalls # check syscall number
bgtu illegal_syscall
bgeu illegal_syscall

slli r8, r27, 2 # get syscall routine
la r11, sys_call_table
Expand Down

0 comments on commit c25a785

Please sign in to comment.