Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4927pxj; Mon, 17 May 2021 19:18:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwcfMg8NdSwvPmCHiv+Pi3U9Fdfz3hcLK3sEa/kwjUpH7LrXQ+cwlxMRSL9LI8qHZRfuR8b X-Received: by 2002:a05:6638:37a6:: with SMTP id w38mr3017607jal.106.1621304302167; Mon, 17 May 2021 19:18:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621304302; cv=none; d=google.com; s=arc-20160816; b=iJcffDH3GNRm6bYCqEFDLEnjTRIhIkjMqwpwFqGh9zEhB5g+lu+4FfAZNvOxi2YlHB Qa8svpG8a5P5EakLixy6X2c9Ah/v+tLiJADbVVyvvsqWON7COZK0m6jvJMIOEvgKMcfk +nfNFGAYze3W2wlhN2gKYSqb3uwlpZ/u5eu89sFxiFxNpTCXkEW9/s3TXx2DAwkEiJYB DoeXXdheKOfQ+2IUm9R/czn132u/y6Lvmq8Z3qjkQR0X039kPbQGenVoR7d8jloe+0S6 d49O/ARpsJvJuV7BH9awkMLqoOFdHAH+FSi2RETChcOMzGZS/TacdT6jbDFhjdKJgT7v c+BQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=itzhYDzQdtfrrKzN9R/iQqww/ckikJGgFo5n3F7GOeg=; b=EYQk3lwjeoRJTuePzwcvdvCY8Ct/6WoLzB+6e7crRWS0yK7FTzcl+FHd8mN6JbfQp8 bM51HTk6S6WLfwcD2Cd8B6l5l4gDgI5qJPDhQOwUDMRVgtyGGA0C8cGsr3qCTmYkeaDD jkklih+dx/vW3bFUNx6LQbgnwtEf5G/ncSZbgWX7DU6scqEZgF3vPZs+jzQs41IBm3ET HgWgHdWLrWNTjbdkfY5DgmDQ88TbXP62Re0jSZw4E3XfCpmkhehGTXBc19nNiFJXTwq+ uQYWkzBDZKKQKdIA1m2xigMTCmrBG+VOsGSaWyhF9Idu1QxZdZ8XkAGDJ2qtJq79Ry6d JkvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vBRtwWDX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id u12si21409682ilm.67.2021.05.17.19.18.05; Mon, 17 May 2021 19:18:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=vBRtwWDX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240439AbhEQOhd (ORCPT + 99 others); Mon, 17 May 2021 10:37:33 -0400 Received: from mail.kernel.org ([198.145.29.99]:43402 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240282AbhEQOdp (ORCPT ); Mon, 17 May 2021 10:33:45 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C63D5613E8; Mon, 17 May 2021 14:16:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621260981; bh=9/deoVy0/tN1by8qL0WOlNlc4En/IMSnzchfO2hrlYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vBRtwWDXXwWl9A2t6A0UzpWk98Dq6AD1DKwob+F59VELXu2pC/24wvpvUVDyb7UUZ T2pgtlhrQNaYkaZWSs0VrX4LDdccFkIr1bYs+6LRCaBgrmu4Ba+uMkyJ9sa/zErF9y 4krL75JBx7k9XbDtoP+9rCDUOtYBpHZ06EFJ7skQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shahab Vahedi , Vineet Gupta Subject: [PATCH 5.12 248/363] ARC: entry: fix off-by-one error in syscall number validation Date: Mon, 17 May 2021 16:01:54 +0200 Message-Id: <20210517140310.977209373@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140302.508966430@linuxfoundation.org> References: <20210517140302.508966430@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vineet Gupta commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman --- arch/arc/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -177,7 +177,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -255,7 +255,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call