Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / c25a785d6647984505fa165b5cd84cfc9a95970b
commitc25a785d6647984505fa165b5cd84cfc9a95970b[log] [tgz]
authorDan Rosenberg <drosenberg@vsecurity.com>Fri Jan 20 14:34:27 2012 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>Mon Jan 23 08:38:49 2012 -0800
treed1386aae3bc4a649ba1594908c7c32bf97ddcdd0
parent9f9f1acd713d69fae2af286fbeedc6c8963411c6 [diff]
score: fix off-by-one index into syscall table

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table.  It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 file changed
tree: d1386aae3bc4a649ba1594908c7c32bf97ddcdd0
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS