On Mon, Nov 28, 2022 at 12:26 AM Ben Hutchings <ben@xxxxxxxxxxxxxxx> wrote:
>
> On Thu, 2022-11-03 at 03:50 -0400, guoren@xxxxxxxxxx wrote:
> [...]
> > --- a/arch/riscv/kernel/sys_riscv.c
> > +++ b/arch/riscv/kernel/sys_riscv.c
> [...]
> > +asmlinkage void do_sys_ecall_u(struct pt_regs *regs)
> > +{
> > + syscall_t syscall;
> > + ulong nr = regs->a7;
> > +
> > + regs->epc += 4;
> > + regs->orig_a0 = regs->a0;
> > + regs->a0 = -ENOSYS;
> > +
> > + nr = syscall_enter_from_user_mode(regs, nr);
> > +#ifdef CONFIG_COMPAT
> > + if ((regs->status & SR_UXL) == SR_UXL_32)
> > + syscall = compat_sys_call_table[nr];
> > + else
> > +#endif
> > + syscall = sys_call_table[nr];
> > +
> > + if (nr < NR_syscalls)
>
> This bounds check needs to be done before indexing the system call
> table, not after.
Yes, you are right. That would cause a wrong pointer bug. Here is the
new version:
asmlinkage void do_sys_ecall_u(struct pt_regs *regs)
{
syscall_t syscall;
ulong nr = regs->a7;
regs->epc += 4;
regs->orig_a0 = regs->a0;
regs->a0 = -ENOSYS;
nr = syscall_enter_from_user_mode(regs, nr);
if (nr < NR_syscalls) {
#ifdef CONFIG_COMPAT
if ((regs->status & SR_UXL) == SR_UXL_32)
syscall = compat_sys_call_table[nr];
else
#endif
syscall = sys_call_table[nr];
regs->a0 = syscall(regs->orig_a0, regs->a1, regs->a2,
regs->a3, regs->a4, regs->a5, regs->a6);
}
syscall_exit_to_user_mode(regs);
}
>
> Ben.
>
> > + regs->a0 = syscall(regs->orig_a0, regs->a1, regs->a2,
> > + regs->a3, regs->a4, regs->a5, regs->a6);
> > + syscall_exit_to_user_mode(regs);
> > +}
> [...]
>
> --
> Ben Hutchings
> This sentence contradicts itself - no actually it doesn't.
--
Best Regards
Guo Ren
