Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp334703pxj; Tue, 18 May 2021 04:36:26 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4MCV9+6oBHcmwPwNjbrjFpaVT3fhWWgP1mn6SCrUgy008sbuDMuQFW7dwoSDYrYl8Kp09 X-Received: by 2002:a02:a19c:: with SMTP id n28mr5082015jah.117.1621337786141; Tue, 18 May 2021 04:36:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621337786; cv=none; d=google.com; s=arc-20160816; b=NehAlRPPgpCAJaPvw92/NgwBFYEnRxz0KDYfXrqjBjB9jOyOqs4RFQ4HkuOJn47mPJ NzQsY9HO23P6WwZx6mxMINqeRKRkbhtb7kdRkW+tBY0dQoipbvz3GNX2R6Y3adKgMp3d GPvBpnZg9NeTAE9kr2iG++9Emac2KAlPMFdNFQD0MQQiZG634BMCqMQ5AgpFMep6dSXW AfJr9O7Ke8sA30KdGCkfsKYFXW+pdoCqJ1dCVljP2J66rfRG4NG4HgwsrUbO7tWB4AxV mz3xau5ESR2xCLrZZ0WoSrHBxzcPdV61peRt1NMHzAB2VJjmtEL9xUdUNCFU5uuxdhgi ZLPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=60DbozOPPcaxo8zfjYeliVVQdqv0yYaijrMfxIZOC38=; b=DvMjmMUkUiKoU1QgkSYL+U/U6QpeD3lnhREWdg/Q01HLxCezbD0aMgzAWvBKdzIJuL Op9OdnrZOrKlffP3eLoEQuOo9cMUppb5xb+dJ8/K8/JMIiETvVS84Uw6r3lQDMmqVDAH Ig5b9xCrAq4KRYgFBlqE7xeI2flMgMYoc2Qf7reVdpgytDiVIt68StF0xIfJ8euTePyB so92vp8FL6cS+99RtYJv7yfUOM2YyberLnwWImi/U211pJAabBo/5AOrbsaIakiBnWs8 XbiN3sciHr9S7eSjFLHMv31EZnFy0VHCvMH0VeEBUBNj64JyeW6EVsPbJb1DsuX2EGMX NOzw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oSSPJkkW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w17si4498939ilm.86.2021.05.18.04.36.10; Tue, 18 May 2021 04:36:26 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=oSSPJkkW; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244845AbhEQPWM (ORCPT + 99 others); Mon, 17 May 2021 11:22:12 -0400 Received: from mail.kernel.org ([198.145.29.99]:34366 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243255AbhEQPJa (ORCPT ); Mon, 17 May 2021 11:09:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 878AC61C37; Mon, 17 May 2021 14:30:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621261816; bh=Cxu0zFbOjpVKA500whwaPNp5dFDWzbf8E9eAXaorLlQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=oSSPJkkW+cZWXuV6+idw/xyTH4skFgcF3fVT0kC1Y0nnOKZA4vDdOMRA0I8Z+Hxst wYQ6cTozK06oFlfeWg0HHJjeDOdYYU6qLfTl8R30bIRqRyQRmOTTPJvHfEzv+3wzv8 uaPM3aacxOnXaS5mgU80mJZ3BFQrxnnNE6HdboFs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shahab Vahedi , Vineet Gupta Subject: [PATCH 5.4 095/141] ARC: entry: fix off-by-one error in syscall number validation Date: Mon, 17 May 2021 16:02:27 +0200 Message-Id: <20210517140245.964886825@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140242.729269392@linuxfoundation.org> References: <20210517140242.729269392@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vineet Gupta commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman --- arch/arc/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -165,7 +165,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -243,7 +243,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call