diff options
author | Vlad Malov <Vlad.Malov@caviumnetworks.com> | 2008-11-18 15:05:46 -0800 |
---|---|---|
committer | Ralf Baechle <ralf@linux-mips.org> | 2008-12-04 17:47:26 +0000 |
commit | e807f9574e37a3f202e677feaaad1b7c5d2c0db8 (patch) | |
tree | a9b61e4d8f4e53a81df3bb14df0a4c2b037d8d81 /arch/mips/kernel/scall64-o32.S | |
parent | feaf3848a813a106f163013af6fcf6c4bfec92d9 (diff) | |
download | talos-op-linux-e807f9574e37a3f202e677feaaad1b7c5d2c0db8.tar.gz talos-op-linux-e807f9574e37a3f202e677feaaad1b7c5d2c0db8.zip |
MIPS: Fix potential DOS by untrusted user app.
On a 64 bit kernel if an o32 syscall was made with a syscall number less
than 4000, we would read the function from outside of the bounds of the
syscall table. This led to non-deterministic behavior including system
crashes.
While we were at it we reworked the 32 bit version as well to use fewer
instructions. Both 32 and 64 bit versions are use the same code now.
Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Diffstat (limited to 'arch/mips/kernel/scall64-o32.S')
-rw-r--r-- | arch/mips/kernel/scall64-o32.S | 12 |
1 files changed, 5 insertions, 7 deletions
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S index 6c7ef8313ebd..facb41a76d1b 100644 --- a/arch/mips/kernel/scall64-o32.S +++ b/arch/mips/kernel/scall64-o32.S @@ -174,14 +174,12 @@ not_o32_scall: END(handle_sys) LEAF(sys32_syscall) - sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1 + subu t0, a0, __NR_O32_Linux # check syscall number + sltiu v0, t0, __NR_O32_Linux_syscalls + 1 + beqz t0, einval # do not recurse + dsll t1, t0, 3 beqz v0, einval - - dsll v0, a0, 3 - ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0) - - li v1, 4000 # indirect syscall number - beq a0, v1, einval # do not recurse + ld t2, sys_call_table(t1) # syscall routine move a0, a1 # shift argument registers move a1, a2 |