MIPS: Fix potential DOS by untrusted user app.

On a 64 bit kernel if an o32 syscall was made with a syscall number less than 4000, we would read the function from outside of the bounds of the syscall table. This led to non-deterministic behavior including system crashes. While we were at it we reworked the 32 bit version as well to use fewer instructions. Both 32 and 64 bit versions are use the same code now. Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com> Signed-off-by: David Daney <ddaney@caviumnetworks.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
author: Vlad Malov <Vlad.Malov@caviumnetworks.com> 2008-11-18 18:05:46 -0500
committer: Ralf Baechle <ralf@linux-mips.org> 2008-12-04 12:47:26 -0500
commit: e807f9574e37a3f202e677feaaad1b7c5d2c0db8 (patch)
tree: a9b61e4d8f4e53a81df3bb14df0a4c2b037d8d81 /arch/mips/kernel/scall64-o32.S
parent: feaf3848a813a106f163013af6fcf6c4bfec92d9 (diff)
1 files changed, 5 insertions, 7 deletions
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef8313ebd..facb41a76d1b 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
        END(handle_sys)
 LEAF(sys32_syscall)
-        sltu    v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+        subu    t0, a0, __NR_O32_Linux  # check syscall number
+        sltiu   v0, t0, __NR_O32_Linux_syscalls + 1
+        beqz    t0, einval              # do not recurse
+        dsll    t1, t0, 3
        beqz    v0, einval
+        ld      t2, sys_call_table(t1)          # syscall routine
-        dsll    v0, a0, 3
-        ld      t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-        li      v1, 4000                # indirect syscall number
-        beq     a0, v1, einval          # do not recurse
        move    a0, a1                  # shift argument registers
        move    a1, a2
author	Vlad Malov <Vlad.Malov@caviumnetworks.com>	2008-11-18 18:05:46 -0500
committer	Ralf Baechle <ralf@linux-mips.org>	2008-12-04 12:47:26 -0500
commit	e807f9574e37a3f202e677feaaad1b7c5d2c0db8 (patch)
tree	a9b61e4d8f4e53a81df3bb14df0a4c2b037d8d81 /arch/mips/kernel/scall64-o32.S
parent	feaf3848a813a106f163013af6fcf6c4bfec92d9 (diff)

diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S index 6c7ef8313ebd..facb41a76d1b 100644 --- a/arch/mips/kernel/scall64-o32.S +++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
174	END(handle_sys)	174	END(handle_sys)
175		175
176	LEAF(sys32_syscall)	176	LEAF(sys32_syscall)
177	sltu v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1	177	subu t0, a0, __NR_O32_Linux # check syscall number
		178	sltiu v0, t0, __NR_O32_Linux_syscalls + 1
		179	beqz t0, einval # do not recurse
		180	dsll t1, t0, 3
178	beqz v0, einval	181	beqz v0, einval
179		182	ld t2, sys_call_table(t1) # syscall routine
180	dsll v0, a0, 3
181	ld t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
182
183	li v1, 4000 # indirect syscall number
184	beq a0, v1, einval # do not recurse
185		183
186	move a0, a1 # shift argument registers	184	move a0, a1 # shift argument registers
187	move a1, a2	185	move a1, a2