MIPS: Fix potential DOS by untrusted user app.

On a 64 bit kernel if an o32 syscall was made with a syscall number less
than 4000, we would read the function from outside of the bounds of the
syscall table.  This led to non-deterministic behavior including system
crashes.

While we were at it we reworked the 32 bit version as well to use fewer
instructions.  Both 32 and 64 bit versions are use the same code now.

Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>

1 files changed, 1 insertions, 4 deletions

diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index 759f68066b5d..34a4dbd76f24 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -262,14 +262,11 @@ bad_alignment:
         LEAF(sys_syscall)
         subu    t0, a0, __NR_O32_Linux  # check syscall number
         sltiu   v0, t0, __NR_O32_Linux_syscalls + 1
+        beqz    t0, einval              # do not recurse
         sll     t1, t0, 3
         beqz    v0, einval
-
         lw      t2, sys_call_table(t1)          # syscall routine
 
-        li      v1, 4000 - __NR_O32_Linux       # index of sys_syscall
-        beq     t0, v1, einval                  # do not recurse
-
         /* Some syscalls like execve get their arguments from struct pt_regs
            and claim zero arguments in the syscall table. Thus we have to
            assume the worst case and shuffle around all potential arguments.