MIPS: Fix potential DOS by untrusted user app.

On a 64 bit kernel if an o32 syscall was made with a syscall number less than 4000, we would read the function from outside of the bounds of the syscall table. This led to non-deterministic behavior including system crashes. While we were at it we reworked the 32 bit version as well to use fewer instructions. Both 32 and 64 bit versions are use the same code now. Signed-off-by: Vlad Malov <Vlad.Malov@caviumnetworks.com> Signed-off-by: David Daney <ddaney@caviumnetworks.com> Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
2008-11-18 15:05:46 -08:00
commit e807f9574e
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -174,14 +174,12 @@ not_o32_scall:
 	END(handle_sys)

 LEAF(sys32_syscall)
-	sltu	v0, a0, __NR_O32_Linux + __NR_O32_Linux_syscalls + 1
+	subu	t0, a0, __NR_O32_Linux	# check syscall number
+	sltiu	v0, t0, __NR_O32_Linux_syscalls + 1
+	beqz	t0, einval		# do not recurse
+	dsll	t1, t0, 3
 	beqz	v0, einval
-
-	dsll	v0, a0, 3
-	ld	t2, (sys_call_table - (__NR_O32_Linux * 8))(v0)
-
-	li	v1, 4000		# indirect syscall number
-	beq	a0, v1, einval		# do not recurse
+	ld	t2, sys_call_table(t1)		# syscall routine

 	move	a0, a1			# shift argument registers
 	move	a1, a2