[PATCH] score: fix off-by-one index into syscall table

From: Dan Rosenberg
Date: Fri Jan 06 2012 - 08:28:29 EST


If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls. Whether or not this is a security bug depends on
what the compiler puts immediately after the system call table. It's
likely that this won't do anything bad because there is an additional
NULL check on the syscall entry, but if there happens to be a non-NULL
value immediately after the system call table, this may result in local
privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@xxxxxxxxxxxxx>
Cc: stable@xxxxxxxxxx
Cc: security@xxxxxxxxxx
---
arch/score/kernel/entry.S | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/arch/score/kernel/entry.S b/arch/score/kernel/entry.S
index 577abba..83bb960 100644
--- a/arch/score/kernel/entry.S
+++ b/arch/score/kernel/entry.S
@@ -408,7 +408,7 @@ ENTRY(handle_sys)
sw r9, [r0, PT_EPC]

cmpi.c r27, __NR_syscalls # check syscall number
- bgtu illegal_syscall
+ bgeu illegal_syscall

slli r8, r27, 2 # get syscall routine
la r11, sys_call_table


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/