linux-mips
[Top] [All Lists]

[PATCH] MIPS: Check the range of the syscall number for o32 syscall on 6

To: linux-mips <linux-mips@linux-mips.org>
Subject: [PATCH] MIPS: Check the range of the syscall number for o32 syscall on 64bit kernel (v2).
From: David Daney <ddaney@caviumnetworks.com>
Date: Fri, 31 Oct 2008 11:18:46 -0700
Cc: "Malov, Vlad" <Vlad.Malov@caviumnetworks.com>
Original-recipient: rfc822;linux-mips@linux-mips.org
Sender: linux-mips-bounce@linux-mips.org
User-agent: Thunderbird 2.0.0.16 (X11/20080723)
From: Vlad Malov <Vlad.Malov@caviumnetworks.com>

On a 64 bit kernel if an o32 syscall was made with a syscall number
less than 4000, we would read the function from outside of the bounds
of the syscall table.  This led to non-deterministic behavior
including system crashes.

While we were at it we reworked the 32 bit version as well to use
fewer instructions.

This version two should address the concerns Maciej raised.  gas seems
to expand this instruction ordering with no nops in the delay slots.

Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com>
Signed-off-by: David Daney <ddaney@caviumnetworks.com>
---
arch/mips/kernel/scall32-o32.S |    7 ++-----
arch/mips/kernel/scall64-o32.S |   12 +++++-------
2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/arch/mips/kernel/scall32-o32.S b/arch/mips/kernel/scall32-o32.S
index 759f680..4a77438 100644
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -261,15 +261,12 @@ bad_alignment:

        LEAF(sys_syscall)
        subu    t0, a0, __NR_O32_Linux  # check syscall number
-       sltiu   v0, t0, __NR_O32_Linux_syscalls + 1
+       sltiu   v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+       beqz    t0, einval              # do not recurse
        sll     t1, t0, 3
        beqz    v0, einval
-
        lw      t2, sys_call_table(t1)          # syscall routine

-       li      v1, 4000 - __NR_O32_Linux       # index of sys_syscall
-       beq     t0, v1, einval                  # do not recurse
-
        /* Some syscalls like execve get their arguments from struct pt_regs
           and claim zero arguments in the syscall table. Thus we have to
           assume the worst case and shuffle around all potential arguments.
diff --git a/arch/mips/kernel/scall64-o32.S b/arch/mips/kernel/scall64-o32.S
index 6c7ef83..d9299ae 100644
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
        END(handle_sys)

LEAF(sys32_syscall)
-       sltu    v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+       subu    t0, a0, __NR_O32_Linux  # check syscall number
+       sltiu   v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+       beqz    t0, einval              # do not recurse
+       dsll    t1, t0, 3
        beqz    v0, einval
-
-       dsll    v0, a0, 3
-       ld      t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
-       li      v1, 4000                # indirect syscall number
-       beq     a0, v1, einval          # do not recurse
+       ld      t2, sys_call_table(t1)          # syscall routine

        move    a0, a1                  # shift argument registers
        move    a1, a2

<Prev in Thread] Current Thread [Next in Thread>
  • [PATCH] MIPS: Check the range of the syscall number for o32 syscall on 64bit kernel (v2)., David Daney <=