Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp461759pxj; Thu, 20 May 2021 13:31:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyAK3xSbf6aGyFQx39gPC0uKixTTH1TzF9kEswI5coZJlNnplGcuZQJXeaj+EhhTCBVrhRI X-Received: by 2002:a6b:b2cf:: with SMTP id b198mr7162841iof.65.1621542677573; Thu, 20 May 2021 13:31:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621542677; cv=none; d=google.com; s=arc-20160816; b=cX/s8Y4Di6f62HSd0qTxJPeGn5a65KxP6+nEdXxZV7LBm+rwgIjlx9NZDLeHGSd+bs tG9841LaxlmKv0sFzgF4S7OyQ1xuGGGvdmJwzoz/9yd4Aj77amgaBWagkIinlm/ZlJgG VdITaWnR7sbvf3ukaYUDf8p7o0/eY9FqAUaZC/uYvvIPcjNY+hnJFKR0+bLieBCRoHj+ /EJUGIwYLr7Lt2YOlVmYR6jr4pib6QrK6JC9wiIUhga1emU4jZkAZarj+i8lpUJmMHe7 8D7maJwZPVg0rz9KAuPHMM4/BF2ovIeRNounz2gR4ZR9j1omKXuTSwNCfxQstpXuU/it UK3g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FswxuqlP39qxKj5ocF34xRlR1xbo+TXwb670LEq7/tw=; b=AZ+N3ZKvM8EwqeLCS7DHZfD/Ol50achWhlfwbot13vBCX5ue3kprYRO1+LHavwPVS5 bm3MJ+ig0RTPtHcFe/AcRuLdPSG6sjrAlDtrSB1pyXh0OhmgqdPY5vxtDbYGr/emWv1J SWK34qOplwjYSoYU/iEiHBq9t00LDbaBbrioxEDinsrRZBaT1cWRpKR9ZC7z0oT2dt22 WR6RqVDtGNJYX3IZKjG7I4ReUrJTICuEi8l4OVBkoe50GULgVUwGoeHHAKxr3X5b4zgN Xd1BOwYugqZyHS2QOq5e9pMDrSrm9DGOvN8pTSAu8N8en53cBvS/QnbAmeyHNxy6wXjt p4ZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=H1nohm8N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l22si3755425jad.10.2021.05.20.13.31.05; Thu, 20 May 2021 13:31:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=H1nohm8N; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236293AbhETKzc (ORCPT + 99 others); Thu, 20 May 2021 06:55:32 -0400 Received: from mail.kernel.org ([198.145.29.99]:39842 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238205AbhETKjl (ORCPT ); Thu, 20 May 2021 06:39:41 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id C891B613AF; Thu, 20 May 2021 09:55:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621504521; bh=NbHsWF4toT2TuevvL7bKcFylbLteqHQtL3Dy47Am6cc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=H1nohm8NkaMShwXUNFms1MWi4GL7q6QkFkRQicN5+2+z/1GYk2lRYn11RaKxFF7ti bA1gGzl+sZHUSn3TIqpJbWLo4V8YuPishcjWcbADfxpB3q5uXNp7z1lOVSIxjPFNRG mLMHmcuNxjs+W/RXTlP7GC/F7Ia9Wpo2gPHSZy8g= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shahab Vahedi , Vineet Gupta Subject: [PATCH 4.14 276/323] ARC: entry: fix off-by-one error in syscall number validation Date: Thu, 20 May 2021 11:22:48 +0200 Message-Id: <20210520092129.683163037@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092120.115153432@linuxfoundation.org> References: <20210520092120.115153432@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vineet Gupta commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman --- arch/arc/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -169,7 +169,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -252,7 +252,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call