a7y18lte-ubports/android_kernel_samsung_universal7885
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a869e6b05d
android_kernel_samsung_univ.../arch
History
James Hogan a869e6b05d MIPS: Fix buffer overflow in syscall_get_arguments() 
commit f4dce1ffd2e30fa31756876ef502ce6d2324be35 upstream.

Since commit 4c21b8fd8f ("MIPS: seccomp: Handle indirect system calls
(o32)"), syscall_get_arguments() attempts to handle o32 indirect syscall
arguments by incrementing both the start argument number and the number
of arguments to fetch. However only the start argument number needs to
be incremented. The number of arguments does not change, they're just
shifted up by one, and in fact the output array is provided by the
caller and is likely only n entries long, so reading more arguments
overflows the output buffer.

In the case of seccomp, this results in it fetching 7 arguments starting
at the 2nd one, which overflows the unsigned long args[6] in
populate_seccomp_data(). This clobbers the $s0 register from
syscall_trace_enter() which __seccomp_phase1_filter() saved onto the
stack, into which syscall_trace_enter() had placed its syscall number
argument. This caused Chromium to crash.

Credit goes to Milko for tracking it down as far as $s0 being clobbered.

Fixes: 4c21b8fd8f ("MIPS: seccomp: Handle indirect system calls (o32)")
Reported-by: Milko Leporis <milko.leporis@imgtec.com>
Signed-off-by: James Hogan <james.hogan@imgtec.com>
Cc: linux-mips@linux-mips.org
Patchwork: https://patchwork.linux-mips.org/patch/12213/
Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2016-03-03 15:07:17 -08:00
..
alpha
arc ARC: dw2 unwind: Catch Dwarf SNAFUs early 2015-12-21 14:01:49 +05:30
arm ARM: 8457/1: psci-smp is built only for SMP 2016-03-03 15:07:08 -08:00
arm64 arm64: errata: Add -mpc-relative-literal-loads to build flags 2016-03-03 15:07:08 -08:00
avr32 dmaengine updates for 4.4-rc1 2015-11-10 10:05:17 -08:00
blackfin treewide: Remove old email address 2015-11-23 09:44:58 +01:00
c6x
cris
frv kmap_atomic_to_page() has no users, remove it 2015-11-09 15:11:24 -08:00
h8300 h8300 update for v4.4 2015-11-12 15:26:39 -08:00
hexagon
ia64 [IA64] Enable mlock2 syscall for ia64 2015-12-14 10:30:02 -08:00
m32r m32r: fix m32104ut_defconfig build fail 2016-02-25 12:01:22 -08:00
m68k m68k: Wire up mlock2 2015-11-22 11:35:26 +01:00
metag Metag architecture changes for v4.4 2015-11-10 16:24:25 -08:00
microblaze Revert "scatterlist: use sg_phys()" 2015-12-15 12:54:06 -08:00
mips MIPS: Fix buffer overflow in syscall_get_arguments() 2016-03-03 15:07:17 -08:00
mn10300 mn10300: Select CONFIG_HAVE_UID16 to fix build failure 2015-11-30 07:01:40 -08:00
nios2 nios2: fix cache coherency 2015-11-26 22:25:58 +08:00
openrisc
parisc parisc: Fix __ARCH_SI_PREAMBLE_SIZE 2016-02-17 12:30:57 -08:00
powerpc KVM: PPC: Fix ONE_REG AltiVec support 2016-02-25 12:01:20 -08:00
s390 s390/fpu: signals vs. floating point control register 2016-03-03 15:07:12 -08:00
score
sh sh64: fix __NR_fgetxattr 2015-12-12 10:15:34 -08:00
sparc net: filter: make JITs zero A for SKF_AD_ALU_XOR_X 2016-01-06 00:43:52 -05:00
tile tile: provide CONFIG_PAGE_SIZE_64KB etc for tilepro 2016-01-05 08:16:09 -05:00
um uml: flush stdout before forking 2016-03-03 15:07:12 -08:00
unicore32 pwm: Changes for v4.4-rc1 2015-11-11 09:16:10 -08:00
x86 x86/mm: Fix vmalloc_fault() to handle large pages properly 2016-02-25 12:01:13 -08:00
xtensa Merge branch 'for-4.4/io-poll' of git://git.kernel.dk/linux-block 2015-11-10 17:23:49 -08:00
.gitignore
Kconfig