1
linux/arch/score
Dan Rosenberg c25a785d66 score: fix off-by-one index into syscall table
If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table.  It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-01-23 08:38:49 -08:00
..
boot
configs kconfig: rename CONFIG_EMBEDDED to CONFIG_EXPERT 2011-01-20 17:02:05 -08:00
include/asm score: lost a semicolon in asm/irqflags.h 2011-03-28 12:02:20 +08:00
kernel score: fix off-by-one index into syscall table 2012-01-23 08:38:49 -08:00
lib score: remove __{put,get}_user_unknown 2009-06-19 11:41:07 +02:00
mm mm: now that all old mmu_gather code is gone, remove the storage 2011-05-25 08:39:16 -07:00
Kconfig cpu: Register a generic CPU device on architectures that currently do not 2012-01-11 15:50:11 -08:00
Kconfig.debug lib: consolidate DEBUG_STACK_USAGE option 2011-05-25 08:39:54 -07:00
Makefile Fix common misspellings 2011-03-31 11:26:23 -03:00