From owner-svn-src-all@freebsd.org Thu Oct 8 21:08:36 2015 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AC26F9D2CFF; Thu, 8 Oct 2015 21:08:36 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6D37CA44; Thu, 8 Oct 2015 21:08:36 +0000 (UTC) (envelope-from mjg@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t98L8Zj4007467; Thu, 8 Oct 2015 21:08:35 GMT (envelope-from mjg@FreeBSD.org) Received: (from mjg@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t98L8ZFH007464; Thu, 8 Oct 2015 21:08:35 GMT (envelope-from mjg@FreeBSD.org) Message-Id: <201510082108.t98L8ZFH007464@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: mjg set sender to mjg@FreeBSD.org using -f From: Mateusz Guzik Date: Thu, 8 Oct 2015 21:08:35 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r289055 - in head/sys: amd64/linux i386/linux X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Oct 2015 21:08:36 -0000 Author: mjg Date: Thu Oct 8 21:08:35 2015 New Revision: 289055 URL: https://svnweb.freebsd.org/changeset/base/289055 Log: linux: fix handling of out-of-bounds syscall attempts Due to an off by one the code would read an entry past the table, as opposed to the last entry which contains the nosys handler. Reported by: Pawel Biernacki Modified: head/sys/amd64/linux/linux_sysvec.c head/sys/i386/linux/linux_sysvec.c Modified: head/sys/amd64/linux/linux_sysvec.c ============================================================================== --- head/sys/amd64/linux/linux_sysvec.c Thu Oct 8 20:32:44 2015 (r289054) +++ head/sys/amd64/linux/linux_sysvec.c Thu Oct 8 21:08:35 2015 (r289055) @@ -234,7 +234,7 @@ linux_fetch_syscall_args(struct thread * if (sa->code >= p->p_sysent->sv_size) /* nosys */ - sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL]; + sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1]; else sa->callp = &p->p_sysent->sv_table[sa->code]; sa->narg = sa->callp->sy_narg; Modified: head/sys/i386/linux/linux_sysvec.c ============================================================================== --- head/sys/i386/linux/linux_sysvec.c Thu Oct 8 20:32:44 2015 (r289054) +++ head/sys/i386/linux/linux_sysvec.c Thu Oct 8 21:08:35 2015 (r289055) @@ -866,7 +866,7 @@ linux_fetch_syscall_args(struct thread * if (sa->code >= p->p_sysent->sv_size) /* nosys */ - sa->callp = &p->p_sysent->sv_table[LINUX_SYS_MAXSYSCALL]; + sa->callp = &p->p_sysent->sv_table[p->p_sysent->sv_size - 1] else sa->callp = &p->p_sysent->sv_table[sa->code]; sa->narg = sa->callp->sy_narg;