From e807f9574e37a3f202e677feaaad1b7c5d2c0db8 Mon Sep 17 00:00:00 2001
From: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Date: Tue, 18 Nov 2008 15:05:46 -0800
Subject: MIPS: Fix potential DOS by untrusted user app.

On a 64 bit kernel if an o32 syscall was made with a syscall number less
than 4000, we would read the function from outside of the bounds of the
syscall table.  This led to non-deterministic behavior including system
crashes.

While we were at it we reworked the 32 bit version as well to use fewer
instructions.  Both 32 and 64 bit versions are use the same code now.

Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
 arch/mips/kernel/scall64-o32.S | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

(limited to 'arch/mips/kernel/scall64-o32.S')

diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef8313ebd..facb41a76d1b 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
 	END(handle_sys)
 
 LEAF(sys32_syscall)
-	sltu	v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+	subu	t0, a0, __NR_O32_Linux	# check syscall number
+	sltiu	v0, t0, __NR_O32_Linux_syscalls + 1
+	beqz	t0, einval		# do not recurse
+	dsll	t1, t0, 3
 	beqz	v0, einval
-
-	dsll	v0, a0, 3
-	ld	t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
-	li	v1, 4000		# indirect syscall number
-	beq	a0, v1, einval		# do not recurse
+	ld	t2, sys_call_table(t1)		# syscall routine
 
 	move	a0, a1			# shift argument registers
 	move	a1, a2
-- 
cgit v1.2.2


From 8d13cb26cd3bf23946743a5b4af2fecd88fc4974 Mon Sep 17 00:00:00 2001
From: Ralf Baechle <ralf@linux-mips.org>
Date: Wed, 3 Dec 2008 17:03:27 +0000
Subject: MIPS: 64-bit: vmsplice needs to use the compat wrapper for o32 and
 N32.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
 arch/mips/kernel/scall64-o32.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'arch/mips/kernel/scall64-o32.S')

diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index facb41a76d1b..3d55e3bbdfc3 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -510,7 +510,7 @@ sys_call_table:
 	PTR	sys_splice
 	PTR	sys32_sync_file_range		/* 4305 */
 	PTR	sys_tee
-	PTR	sys_vmsplice
+	PTR	compat_sys_vmsplice
 	PTR	compat_sys_move_pages
 	PTR	compat_sys_set_robust_list
 	PTR	compat_sys_get_robust_list	/* 4310 */
-- 
cgit v1.2.2


From c6cb4df96fa22d1174d6fb6dfc2c7501d7afaeea Mon Sep 17 00:00:00 2001
From: David Daney <ddaney@caviumnetworks.com>
Date: Fri, 31 Oct 2008 11:23:09 -0700
Subject: MIPS: Return ENOSYS from sys32_syscall on 64bit kernels like
 elsewhere.

When the o32 errno was changed to ENOSYS, we forgot to update the code
for 64bit kernels.

Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Acked-by: Atsushi Nemoto <anemo@mba.ocn.ne.jp>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
 arch/mips/kernel/scall64-o32.S | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'arch/mips/kernel/scall64-o32.S')

diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 3d55e3bbdfc3..fefef4af8595 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -196,7 +196,7 @@ LEAF(sys32_syscall)
 	jr	t2
 	/* Unreached */
 
-einval:	li	v0, -EINVAL
+einval:	li	v0, -ENOSYS
 	jr	ra
 	END(sys32_syscall)
 
-- 
cgit v1.2.2