score: fix off-by-one index into syscall table - linux-dev - Linux kernel development work

diff options

author	Dan Rosenberg <drosenberg@vsecurity.com>	2012-01-20 14:34:27 -0800
committer	Linus Torvalds <torvalds@linux-foundation.org>	2012-01-23 08:38:49 -0800
commit	c25a785d6647984505fa165b5cd84cfc9a95970b (patch)
tree	d1386aae3bc4a649ba1594908c7c32bf97ddcdd0 /fs
parent	mm: fix rss count leakage during migration (diff)
download	linux-dev-c25a785d6647984505fa165b5cd84cfc9a95970b.tar.xz linux-dev-c25a785d6647984505fa165b5cd84cfc9a95970b.zip

score: fix off-by-one index into syscall table

If the provided system call number is equal to __NR_syscalls, the current check will pass and a function pointer just after the system call table may be called, since sys_call_table is an array with total size __NR_syscalls. Whether or not this is a security bug depends on what the compiler puts immediately after the system call table. It's likely that this won't do anything bad because there is an additional NULL check on the syscall entry, but if there happens to be a non-NULL value immediately after the system call table, this may result in local privilege escalation. Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> Cc: <stable@vger.kernel.org> Cc: Chen Liqin <liqin.chen@sunplusct.com> Cc: Lennox Wu <lennox.wu@gmail.com> Cc: Eugene Teo <eugeneteo@kernel.sg> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Diffstat (limited to 'fs')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: