lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAC9v5qED72F7EjiYNXL1bd-c_QVKHvdWgJE3eJ5HwjdqfAqt8w@mail.gmail.com>
Date:	Mon, 23 Feb 2015 13:43:11 +0000
From:	Jamie Garside <jamie.garside@...k.ac.uk>
To:	linux-kernel@...r.kernel.org
Subject: [PATCH] /arch/microblaze/kernel/entry.S kernel 3.14 Fix crash when
 calling invalid syscall ID

There appears to be a couple of bugs in the initial syscall handler on
Microblaze when passing an invalid syscall ID.

The code at line 351 should check for a syscall ID above __NR_syscalls,
then jump to the error exit routine. In this case, _user_exception returns
using the wrong register (r15 instead of r14), and doesn't clean up the
stack, causing the running user-land to hang.

Additionally, it does not cause an error if the syscall ID is negative (as
can be returned from do_syscall_trace_enter), causing the kernel to attempt
to jump to an invalid syscall handler and cause a kernel oops.

This patch adds a check for negative syscall ID, and modifies the error
exit to jump to ret_from_trap instead (as would happen after a successful
syscall) to perform cleanup, returning -ENOSYS. I believe this should be
safe in this condition.

This patch has been edited against the Linux 3.14 code, but a glance over
the git logs shows this file has not been changed in the past two years,
hence this patch should be safe for the most recent kernel version.

Thanks,
Jamie

-- 
Jamie Garside
Department of Computer Science
University of York
United Kingdom

Disclaimer: http://www.york.ac.uk/about/legal-statements/email-disclaimer/

Download attachment "entry.S.patch" of type "application/octet-stream" (1645 bytes)

Download attachment "README" of type "application/octet-stream" (98 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ