Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp545369pxj; Tue, 18 May 2021 08:59:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJylUPNSneuwxdLOnC5e1yy1GQy3J6/iU7WEBuJuZ9w3J9dI7wEnwr2SS72ew+VAA5WF760A X-Received: by 2002:a05:6402:21dd:: with SMTP id bi29mr6503871edb.29.1621353574925; Tue, 18 May 2021 08:59:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621353574; cv=none; d=google.com; s=arc-20160816; b=cNG7r9YiVkuzO2XeiorVpYxe5fPSHphh5sgh4MK4WQclg9guXpoz2vFV8oGvQAPGee KcpvlRyVP24hWdrnW3M7Z7FnhABtY7buGDRyOk/Hq4Uqhn9Gr6qt0YneEqQGSKvHQBey 97QzvB6YkOwXpSJBmWhts5ljkDGmRc4WvYqxdDFnwFVliBy005fIK7iCcJpn6nvtYUxv rkN7QvuTqFprHpxwSdc6qODiTnM1+VAXazCw/4ubOFQhkNXzDUOx0XkSdSUyd4z+L6I/ 2zcgX7QqzkpSWSvxn6EkfBukHS2bZyMexOyGSKNC2xeGuzJP8qWCGYkr5mx0lg0jRh4b M9lw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=itzhYDzQdtfrrKzN9R/iQqww/ckikJGgFo5n3F7GOeg=; b=p7bhi663tclI9FDHhQq6WiS0kf1+K85WEAB5SdS1G1yRy/VQ2nCevyAxRkgDYnzolj ubwWJPYU+GJQ6UIJOuL1C1Q3MVLUFjOLTFqnN4kf73AVHE6vHJsN4WXohoi4KPlIJTU9 xDP2kjfZ7dyCXeldQ6dcRm8vQydb/AtQJbgyADo6aTlVRoQQGj9hM4ECAbqprznD20ti Z1sj3Vb9ATEDV5RyxIjiyMlH335vU/dAvJotnMspabLPyCiwtB3Z7Uo1Sqy136kRt3jb TtyN19hVo4SATyl+Ni8zPAiBc/FL61CDiR6+pKb9wxDWmnC45zyWFnGCLCP/e0/eVhvu QOeg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JjYTfhI/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ch6si11276315edb.124.2021.05.18.08.58.49; Tue, 18 May 2021 08:59:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="JjYTfhI/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240988AbhEQP6P (ORCPT + 99 others); Mon, 17 May 2021 11:58:15 -0400 Received: from mail.kernel.org ([198.145.29.99]:50372 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245411AbhEQPjC (ORCPT ); Mon, 17 May 2021 11:39:02 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8367561CFC; Mon, 17 May 2021 14:41:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621262471; bh=9/deoVy0/tN1by8qL0WOlNlc4En/IMSnzchfO2hrlYI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JjYTfhI/amm+yAxke7O6joQnvuYICLBhBN11z5omdkkmv0jMq8tLNlPGl2rxGTnxf aJJjzCxFygbPu9jZKFvJDauwJFCAYWhnJrRKC6jBVxRN6nYvl/uSNCqU5CimWB4/NI FX9VpSAhUCMrlnkYz2p41kBCqvRY2qO3lt+4tb8w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shahab Vahedi , Vineet Gupta Subject: [PATCH 5.10 194/289] ARC: entry: fix off-by-one error in syscall number validation Date: Mon, 17 May 2021 16:01:59 +0200 Message-Id: <20210517140311.640148412@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140305.140529752@linuxfoundation.org> References: <20210517140305.140529752@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vineet Gupta commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman --- arch/arc/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -177,7 +177,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -255,7 +255,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call