Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 8 Oct 2015 21:08:35 +0000 (UTC)
From:      Mateusz Guzik <mjg@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r289055 - in head/sys: amd64/linux i386/linux
Message-ID:  <201510082108.t98L8ZFH007464@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: mjg
Date: Thu Oct  8 21:08:35 2015
New Revision: 289055
URL: https://svnweb.freebsd.org/changeset/base/289055

Log:
  linux: fix handling of out-of-bounds syscall attempts
  
  Due to an off by one the code would read an entry past the table, as
  opposed to the last entry which contains the nosys handler.
  
  Reported by:	Pawel Biernacki <pawel.biernacki gmail.com>

Modified:
  head/sys/amd64/linux/linux_sysvec.c
  head/sys/i386/linux/linux_sysvec.c

Modified: head/sys/amd64/linux/linux_sysvec.c
==============================================================================
--- head/sys/amd64/linux/linux_sysvec.c	Thu Oct  8 20:32:44 2015	(r289054)
+++ head/sys/amd64/linux/linux_sysvec.c	Thu Oct  8 21:08:35 2015	(r289055)
@@ -234,7 +234,7 @@ linux_fetch_syscall_args(struct thread *
 
 	if (sa->code >= p->p_sysent->sv_size)
 		/* nosys */
-		sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL];
+		sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1];
 	else
 		sa->callp = &p->p_sysent->sv_table[sa->code];
 	sa->narg = sa->callp->sy_narg;

Modified: head/sys/i386/linux/linux_sysvec.c
==============================================================================
--- head/sys/i386/linux/linux_sysvec.c	Thu Oct  8 20:32:44 2015	(r289054)
+++ head/sys/i386/linux/linux_sysvec.c	Thu Oct  8 21:08:35 2015	(r289055)
@@ -866,7 +866,7 @@ linux_fetch_syscall_args(struct thread *
 
 	if (sa->code >= p->p_sysent->sv_size)
 		/* nosys */
-		sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL];
+		sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1]
  	else
  		sa->callp = &p->p_sysent->sv_table[sa->code];
 	sa->narg = sa->callp->sy_narg;

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201510082108.t98L8ZFH007464>