git.baikalelectronics.ru Git - kernel.git/commit

author	Dan Rosenberg <drosenberg@vsecurity.com>
	Fri, 20 Jan 2012 22:34:27 +0000 (14:34 -0800)
committer	Linus Torvalds <torvalds@linux-foundation.org>
	Mon, 23 Jan 2012 16:38:49 +0000 (08:38 -0800)
commit	356b05b95f873f6e67aa38ea123aafcc88e6155f
tree	d1386aae3bc4a649ba1594908c7c32bf97ddcdd0	tree \| snapshot
parent	abec2ab5c753c069c2fda279b0435d3922b5d6a5	commit \| diff

score: fix off-by-one index into syscall table

If the provided system call number is equal to __NR_syscalls, the
current check will pass and a function pointer just after the system
call table may be called, since sys_call_table is an array with total
size __NR_syscalls.

Whether or not this is a security bug depends on what the compiler puts
immediately after the system call table. It's likely that this won't do
anything bad because there is an additional NULL check on the syscall
entry, but if there happens to be a non-NULL value immediately after the
system call table, this may result in local privilege escalation.

Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com>
Cc: <stable@vger.kernel.org>
Cc: Chen Liqin <liqin.chen@sunplusct.com>
Cc: Lennox Wu <lennox.wu@gmail.com>
Cc: Eugene Teo <eugeneteo@kernel.sg>
Cc: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>