If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.
Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table. It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.
Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This adds back a sys_call_table to the score architecture, which
got lost in the conversion to the generic unistd.h file.
It's rather worrying that the code got submitted without a
system call table, which evidently means that it got zero
testing.
Since the system call table has a different layout from the old
one (which was modeled after the mips-o32 one), I also try to
fix the entry.S path to use it. In the modified calling conventions,
all system call arguments are passed as registers r4 through r9,
instead of r4 through r7 plus stack for the fifth and sixth argument.
This matches what other architectures to when they normally pass
arguments on the stack.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
This is the complete set of new arch Score's files for linux.
Score instruction set support 16bits, 32bits and 64bits instruction,
Score SOC had been used in game machine and LCD TV.
Signed-off-by: Chen Liqin <liqin.chen@sunplusct.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>