Re: [PATCH] MIPS: Fix buffer overflow in syscall_get_arguments()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 1 Feb 2016, James Hogan wrote:

> > > diff --git a/arch/mips/include/asm/syscall.h b/arch/mips/include/asm/syscall.h
> > > index 6499d93ae68d..47bc45a67e9b 100644
> > > --- a/arch/mips/include/asm/syscall.h
> > > +++ b/arch/mips/include/asm/syscall.h
> > > @@ -101,10 +101,8 @@ static inline void syscall_get_arguments(struct task_struct *task,
> > >  	/* O32 ABI syscall() - Either 64-bit with O32 or 32-bit */
> > >  	if ((config_enabled(CONFIG_32BIT) ||
> > >  	    test_tsk_thread_flag(task, TIF_32BIT_REGS)) &&
> > > -	    (regs->regs[2] == __NR_syscall)) {
> > > +	    (regs->regs[2] == __NR_syscall))
> > >  		i++;
> > > -		n++;
> > > -	}
> > >  
> > >  	while (n--)
> > >  		ret |= mips_get_syscall_arg(args++, task, regs, i++);
> > 
> >  What I think it really needs to do is to *decrease* the number of 
> > arguments, as we're throwing the syscall number away as not an argument to 
> > itself.  So this looks like a typo to me, the expression was meant to be 
> > `n--' rather than `n++'.  With the number of arguments unchanged, as in 
> > your proposed change, we're still reaching one word too far.
> 
> No, the caller asked for n args, thats what it should get. It doesn't
> care whether the syscall was indirected or not.
> 
> The syscall doesn't have 1 less arg as a result of indirection. E.g.
> What about system calls with 6 arguments, and hence 7 arguments
> including syscall number argument when redirected? We'd get an
> uninitialised 6th arg back when passing n=6.

 Do you mean the caller ignores the extra argument holding the number of 
the wrapped syscall in counting syscall arguments?  Where does it take `n' 
from?

> Note scall32-o32.S sys_syscall shifts 7 arguments starting at a1 (I've
> reordered code slightly):
> 	move	a0, a1				# shift argument registers
> 	move	a1, a2
> 	move	a2, a3
> 	lw	a3, 16(sp)
> 	lw	t4, 20(sp)
> 	lw	t5, 24(sp)
> 	lw	t6, 28(sp)
> 
> 	sw	a0, PT_R4(sp)			# .. and push back a0 - a3, some
> 	sw	a1, PT_R5(sp)			# syscalls expect them there
> 	sw	a2, PT_R6(sp)
> 	sw	a3, PT_R7(sp)
> 	sw	t4, 16(sp)
> 	sw	t5, 20(sp)
> 	sw	t6, 24(sp)
> 
> So it takes args 0..2 from a1..a3, and 3..6 from stack.

 Sure, no need to explain it as far as I'm concerned, I didn't question 
it.

  Maciej
[Index of Archives]     [Linux MIPS Home]     [LKML Archive]     [Linux ARM Kernel]     [Linux ARM]     [Linux]     [Git]     [Yosemite News]     [Linux SCSI]     [Linux Hams]

  Powered by Linux