• James Hogan's avatar
    MIPS: Fix buffer overflow in syscall_get_arguments() · f4dce1ff
    James Hogan authored
    Since commit 4c21b8fd ("MIPS: seccomp: Handle indirect system calls
    (o32)"), syscall_get_arguments() attempts to handle o32 indirect syscall
    arguments by incrementing both the start argument number and the number
    of arguments to fetch. However only the start argument number needs to
    be incremented. The number of arguments does not change, they're just
    shifted up by one, and in fact the output array is provided by the
    caller and is likely only n entries long, so reading more arguments
    overflows the output buffer.
    
    In the case of seccomp, this results in it fetching 7 arguments starting
    at the 2nd one, which overflows the unsigned long args[6] in
    populate_seccomp_data(). This clobbers the $s0 register from
    syscall_trace_enter() which __seccomp_phase1_filter() saved onto the
    stack, into which syscall_trace_enter() had placed its syscall number
    argument. This caused Chromium to crash.
    
    Credit goes to Milko for tracking it down as far as $s0 being clobbered.
    
    Fixes: 4c21b8fd ("MIPS: seccomp: Handle indirect system calls (o32)")
    Reported-by: default avatarMilko Leporis <milko.leporis@imgtec.com>
    Signed-off-by: default avatarJames Hogan <james.hogan@imgtec.com>
    Cc: linux-mips@linux-mips.org
    Cc: <stable@vger.kernel.org> # 3.15-
    Patchwork: https://patchwork.linux-mips.org/patch/12213/Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
    f4dce1ff
syscall.h 3.05 KB