| Message ID | 20200108111342.6738-1-masahiroy@kernel.org |
|---|---|
| State | Accepted |
| Commit | 2fa863e9aa4e9d5638c6a8555a7d71dc38e79b90 |
| Headers | show |
| Series | x86: limit the fs segment to the pointer size | expand |
On Wed, 8 Jan 2020 at 04:14, Masahiro Yamada <masahiroy at kernel.org> wrote: > > The fs segment is only used to get the global data pointer. > If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug. > > To specify the byte-granule limit size, drop the G bit, so the > flag field is 0x8093 instead of 0xc093, and set the limit field > to sizeof(new_gd->arch.gd_addr) - 1. > > Signed-off-by: Masahiro Yamada <masahiroy at kernel.org> > --- > > arch/x86/cpu/i386/cpu.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) Reviewed-by: Simon Glass <sjg at chromium.org>
diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c index 2b27617ca3a4..72fefdd3adca 100644 --- a/arch/x86/cpu/i386/cpu.c +++ b/arch/x86/cpu/i386/cpu.c @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd) /* FS: data, read/write, 4 GB, base (Global Data Pointer) */ new_gd->arch.gd_addr = new_gd; - gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093, - (ulong)&new_gd->arch.gd_addr, 0xfffff); + gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093, + (ulong)&new_gd->arch.gd_addr, + sizeof(new_gd->arch.gd_addr) - 1); /* 16-bit CS: code, read/execute, 64 kB, base 0 */ gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);
The fs segment is only used to get the global data pointer. If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug. To specify the byte-granule limit size, drop the G bit, so the flag field is 0x8093 instead of 0xc093, and set the limit field to sizeof(new_gd->arch.gd_addr) - 1. Signed-off-by: Masahiro Yamada <masahiroy at kernel.org> --- arch/x86/cpu/i386/cpu.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)