Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp606844pxj; Thu, 20 May 2021 17:41:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyR/gPqu3zWaJOGlUeclqEr6BMxgrBoT2lDrrUV4298LfTYSn+MJUgcC/20bDgRzyz3tZHF X-Received: by 2002:a17:907:9895:: with SMTP id ja21mr7542720ejc.426.1621557676802; Thu, 20 May 2021 17:41:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621557676; cv=none; d=google.com; s=arc-20160816; b=QteIw922BWcFzkTPX5s+ll+ngu016dpZOsMXti0Mw26tjihdcq4eWF6nql1MiRdRes tGIhsvQI6/HPzHBOP7HYqZ/NlB3d99PQmcEb4yrb3XzWzYsgx1gM8yUotAkfMgErWDWm wC3zHchS9t3pkiOmQbjDeA6Ki/zOTZYBDcTrUnBSEMnA6DdGtSgSkIppVl25hcEyRXVM ZugGvDgosMIWK5fky17AGr5qyYAe70gtzqdcBAZlqW7976WomkuzF6ydFmK7fikCYEXL nb+ioWQz5SSjl2ru98/OIrFd9PrYDB2ODnvYPeuUc9oK2rOAP7c2b3Pt5V39uart1nWQ P+tg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=FswxuqlP39qxKj5ocF34xRlR1xbo+TXwb670LEq7/tw=; b=ZTYy+R0EzkC0Zoq4R1cDgd+jzRnaJJQlqz5uLNNUD1WgMaIxj7IhgemDqPBrskeI8R UJIWNSNvNPfRArpRzyQEQtgyo5MiL+Oc75VUQLGFYmDeyCChpyvsxJCQ60WDp0R/fA53 sCi20JYXEEiPVE0YNp3R4sOreRwQgzkiXunGozr+QOigFxDVx82LrdRq3r8s2guqBcgK RwzeLc9I+DxZkbObp7FTOyIkNuUTopQSDTFRaGvsTSShUysZqtU8gt+2kC28Gr/IPIVW 7VneU6/zYXWjlTftehHuVBZmGXndmj2PaMXjRLK7VHXGxw5uNUNltIvNvvGYIhdD+pxO ySRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="CcDJZK/y"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f12si4196901edx.197.2021.05.20.17.40.52; Thu, 20 May 2021 17:41:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="CcDJZK/y"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241202AbhETLXV (ORCPT + 99 others); Thu, 20 May 2021 07:23:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:37054 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238957AbhETLDH (ORCPT ); Thu, 20 May 2021 07:03:07 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 05E5461929; Thu, 20 May 2021 10:04:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621505062; bh=NbHsWF4toT2TuevvL7bKcFylbLteqHQtL3Dy47Am6cc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CcDJZK/ycq5oGtfFqujLYwI171qp1ph2mw+GmH0FdT1F6XhtV5ihBeXWfp1BTViNO xR/dhGEFqgejOnmiOdtkDgSd5+ybMzl4uM+PV9aXtLZS0jUxmysl7DNzXqaZYkcPLE QXrNLmo0xxH11Tjn9cD87vjNlf6AQuyJLXfv8Cyw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Shahab Vahedi , Vineet Gupta Subject: [PATCH 4.9 205/240] ARC: entry: fix off-by-one error in syscall number validation Date: Thu, 20 May 2021 11:23:17 +0200 Message-Id: <20210520092115.539153255@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210520092108.587553970@linuxfoundation.org> References: <20210520092108.587553970@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Vineet Gupta commit 3433adc8bd09fc9f29b8baddf33b4ecd1ecd2cdc upstream. We have NR_syscall syscalls from [0 .. NR_syscall-1]. However the check for invalid syscall number is "> NR_syscall" as opposed to >=. This off-by-one error erronesously allows "NR_syscall" to be treated as valid syscall causeing out-of-bounds access into syscall-call table ensuing a crash (holes within syscall table have a invalid-entry handler but this is beyond the array implementing the table). This problem showed up on v5.6 kernel when testing glibc 2.33 (v5.10 kernel capable, includng faccessat2 syscall 439). The v5.6 kernel has NR_syscalls=439 (0 to 438). Due to the bug, 439 passed by glibc was not handled as -ENOSYS but processed leading to a crash. Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48 Reported-by: Shahab Vahedi Cc: Signed-off-by: Vineet Gupta Signed-off-by: Greg Kroah-Hartman --- arch/arc/kernel/entry.S | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/arch/arc/kernel/entry.S +++ b/arch/arc/kernel/entry.S @@ -169,7 +169,7 @@ tracesys: ; Do the Sys Call as we normally would. ; Validate the Sys Call number - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi tracesys_exit @@ -252,7 +252,7 @@ ENTRY(EV_Trap) ;============ Normal syscall case ; syscall num shd not exceed the total system calls avail - cmp r8, NR_syscalls + cmp r8, NR_syscalls - 1 mov.hi r0, -ENOSYS bhi .Lret_from_system_call