• Dan Rosenberg's avatar
    score: fix off-by-one index into syscall table · c25a785d
    Dan Rosenberg authored
    If the provided system call number is equal to __NR_syscalls, the
    current check will pass and a function pointer just after the system
    call table may be called, since sys_call_table is an array with total
    size __NR_syscalls.
    
    Whether or not this is a security bug depends on what the compiler puts
    immediately after the system call table.  It's likely that this won't do
    anything bad because there is an additional NULL check on the syscall
    entry, but if there happens to be a non-NULL value immediately after the
    system call table, this may result in local privilege escalation.
    Signed-off-by: default avatarDan Rosenberg <drosenberg@vsecurity.com>
    Cc: <stable@vger.kernel.org>
    Cc: Chen Liqin <liqin.chen@sunplusct.com>
    Cc: Lennox Wu <lennox.wu@gmail.com>
    Cc: Eugene Teo <eugeneteo@kernel.sg>
    Cc: Arnd Bergmann <arnd@arndb.de>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    c25a785d
entry.S 8.75 KB