svn commit: r289055 - in head/sys: amd64/linux i386/linux
Mateusz Guzik
mjg at FreeBSD.org
Thu Oct 8 21:08:36 UTC 2015
Author: mjg
Date: Thu Oct 8 21:08:35 2015
New Revision: 289055
URL: https://svnweb.freebsd.org/changeset/base/289055
Log:
linux: fix handling of out-of-bounds syscall attempts
Due to an off by one the code would read an entry past the table, as
opposed to the last entry which contains the nosys handler.
Reported by: Pawel Biernacki <pawel.biernacki gmail.com>
Modified:
head/sys/amd64/linux/linux_sysvec.c
head/sys/i386/linux/linux_sysvec.c
Modified: head/sys/amd64/linux/linux_sysvec.c
==============================================================================
--- head/sys/amd64/linux/linux_sysvec.c Thu Oct 8 20:32:44 2015 (r289054)
+++ head/sys/amd64/linux/linux_sysvec.c Thu Oct 8 21:08:35 2015 (r289055)
@@ -234,7 +234,7 @@ linux_fetch_syscall_args(struct thread *
if (sa->code >= p->p_sysent->sv_size)
/* nosys */
- sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL];
+ sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1];
else
sa->callp = &p->p_sysent->sv_table[sa->code];
sa->narg = sa->callp->sy_narg;
Modified: head/sys/i386/linux/linux_sysvec.c
==============================================================================
--- head/sys/i386/linux/linux_sysvec.c Thu Oct 8 20:32:44 2015 (r289054)
+++ head/sys/i386/linux/linux_sysvec.c Thu Oct 8 21:08:35 2015 (r289055)
@@ -866,7 +866,7 @@ linux_fetch_syscall_args(struct thread *
if (sa->code >= p->p_sysent->sv_size)
/* nosys */
- sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL];
+ sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1]
else
sa->callp = &p->p_sysent->sv_table[sa->code];
sa->narg = sa->callp->sy_narg;
More information about the svn-src-head
mailing list