ARC: entry: fix off-by-one error in syscall number validation

We have NR_syscall syscalls from [0 .. NR_syscall-1].
However the check for invalid syscall number is "> NR_syscall".
This off-by-one error erronesously allows "NR_syscall" itself as valid
and when passed causes out-of-bounds syscall-call table access leading
to crash.

This problem showed up when testing glibc 2.33 (v5.10 kernel capable,
includng faccessat2 syscall (439) against a v5.6 kernel with
NR_syscalls=439 (0 to 438). Due to the bug, 439 was not returned with
-ENOSYS but processed leading to a crash.

Link: https://github.com/foss-for-synopsys-dwc-arc-processors/linux/issues/48
Reported-by: Shahab Vahedi <shahab@synopsys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Vineet Gupta <vgupta@synopsys.com>

diff --git a/arch/arc/kernel/entry.S b/arch/arc/kernel/entry.S
index 1743506081da6230646640a13e11004b3b8892e9..aea9b558993d3b2a9c827e84da9d7bd540cb3b2a 100644 (file)
--- a/arch/arc/kernel/entry.S
+++ b/arch/arc/kernel/entry.S
@@ -255,7 +255,7 @@ ENTRY(EV_Trap)
        ;============ Normal syscall case
 
        ; syscall num shd not exceed the total system calls avail
-       cmp     r8,  NR_syscalls
+       cmp     r8,  NR_syscalls - 1
        mov.hi  r0, -ENOSYS
        bhi     .Lret_from_system_call