Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp442435pxj; Tue, 18 May 2021 06:55:04 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy2n9C74baHQv/2BpDzT6wf3o5GvShpbtwalRi3ifFw0n3QYcHdQmmEUwH2p47zEzgKbeb9 X-Received: by 2002:aa7:cb48:: with SMTP id w8mr7287673edt.55.1621346104386; Tue, 18 May 2021 06:55:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621346104; cv=none; d=google.com; s=arc-20160816; b=TDTvOUVGens4NLcafFyqmuyTgQkHC1tgihVycMkRk7QDyPoriYwS2cx+M6oFrtp4JM l9yxd8LVjU92//LPLk//c+/RdPFSRMlKox/dsm4yfw6Ia62httkuNWXGoykUnjP1lV8j xyttrLQJhWwNLHs5e1MPJ9nasNDOtzlTxxDddzIWsM20Xu6eo5l1WOlOUV479ZK71vcE nxkgGVWr6TUUzci2MxuxCT+NGQ77L1km3Sstk32evn/PAy+tZdnD1kd/rSHX4Kxp4ben GS4u8P1/5uKOuWU9S3GslYpOA3BSNoynVj9r1/ZjT5U7IZ2/W4wJ8WNq/klM64zO0PLS rLYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=itzhYDzQdtfrrKzN9R/iQqww/ckikJGgFo5n3F7GOeg=; b=Bk0bXVhBSFJkRPen1DEXd0x18kqrZZuLkuSt+CaefFuupDuTwV+4p74hWWWIDHFFmv 0nybVi0SgUzK+tqVODHrn9cJBTDqjgGKWec2k4I3ttsZS0RlXz5JXaxRbpb/sFB2RES1 Pd1yYXaZrrw/YSTM74JvFqIofnXTrsKry7uXaf47anMQS1clZWuNM5fQOC57PtcQWPQL w2hocdlAKoPuCM/5LXYHv9+aQmME8k5jPj+OmlIyR6FqnaMBqCdLUM0cI8BVqIWfaNBk 9uBD4wxE8TtVXYqt3Q7POZGQdkwEI79M2QvWLIKhRTVAiGnwl2TRIyjbRhWYspEVstPb LUTQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VZ2j8jKy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j20si10646329edq.307.2021.05.18.06.54.41; Tue, 18 May 2021 06:55:04 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=VZ2j8jKy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343992AbhEQPkI (ORCPT + 99 others); Mon, 17 May 2021 11:40:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:38806 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245192AbhEQPZB (ORCPT ); Mon, 17 May 2021 11:25:01 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E8CBD61C9D; Mon, 17 May 2021 14:35:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621262160; bh=9/deoVy0/tN1by8qL0WOlNlc4En/IMSnzchfO2hrlYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VZ2j8jKyrkb4Sh9BsXVpj14couFRlYp3g91RA4/eH5fL6+AA+yCH2WTnSRXQ5Zo0U Ydy4WvkjpMivuIQcsgVWnmf8YXlkIhBDyIRk4S3GElBYgxU4vYawXPaiOgdj7T/mcK di6No5W2ySyFhDYF0MK+63+tmuSyN7JuyGo2szDI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shahab Vahedi , Vineet Gupta Subject: [PATCH 5.11 229/329] ARC: entry: fix off-by-one error in syscall number validation Date: Mon, 17 May 2021 16:02:20 +0200 Message-Id: <20210517140309.861621685@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140302.043055203@linuxfoundation.org> References: <20210517140302.043055203@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vineet Gupta commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman --- arch/arc/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -177,7 +177,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -255,7 +255,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call