projects / unionfs-2.6.39.y.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aac3f59) | patch
score: fix off-by-one index into syscall table
authorDan Rosenberg <drosenberg@vsecurity.com>
Fri, 20 Jan 2012 22:34:27 +0000 (14:34 -0800)
committerPaul Gortmaker <paul.gortmaker@windriver.com>
Thu, 17 May 2012 15:21:39 +0000 (11:21 -0400)
commit861743b9f32cdf4d3e4af10a2c4f13ad9001c9f2
tree435184a41a4cf6d8711a2e8eed512e4a30a0d51ftree | snapshot
parentaac3f5904beea76bcd6da3e047586f4f3b0f0179commit | diff
score: fix off-by-one index into syscall table

commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream.

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table.  It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
arch/score/kernel/entry.S diff | blob | history
unionfs2-2.6.39.y