Author: mjg
Date: Thu Oct 8 21:08:35 2015
New Revision: 289055
URL: https://svnweb.freebsd.org/changeset/base/289055
Log:
linux: fix handling of out-of-bounds syscall attempts
Due to an off by one the code would read an entry past the table, as
opposed to the last entry which contains the nosys handler.
Reported by: Pawel Biernacki <pawel.biernacki gmail.com>
Modified:
head/sys/amd64/linux/linux_sysvec.c
head/sys/i386/linux/linux_sysvec.c
Modified: head/sys/amd64/linux/linux_sysvec.c
==============================================================================
--- head/sys/amd64/linux/linux_sysvec.c Thu Oct 8 20:32:44 2015
(r289054)
+++ head/sys/amd64/linux/linux_sysvec.c Thu Oct 8 21:08:35 2015
(r289055)
@@ -234,7 +234,7 @@ linux_fetch_syscall_args(struct thread *
if (sa->code >= p->p_sysent->sv_size)
/* nosys */
- sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL];
+ sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1];
else
sa->callp = &p->p_sysent->sv_table[sa->code];
sa->narg = sa->callp->sy_narg;
Modified: head/sys/i386/linux/linux_sysvec.c
==============================================================================
--- head/sys/i386/linux/linux_sysvec.c Thu Oct 8 20:32:44 2015
(r289054)
+++ head/sys/i386/linux/linux_sysvec.c Thu Oct 8 21:08:35 2015
(r289055)
@@ -866,7 +866,7 @@ linux_fetch_syscall_args(struct thread *
if (sa->code >= p->p_sysent->sv_size)
/* nosys */
- sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL];
+ sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1]
else
sa->callp = &p->p_sysent->sv_table[sa->code];
sa->narg = sa->callp->sy_narg;
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
