[PATCH] x86: limit the fs segment to the pointer size
Bin Meng
bmeng.cn at gmail.com
Mon Feb 3 05:41:58 CET 2020
On Wed, Jan 8, 2020 at 7:14 PM Masahiro Yamada <masahiroy at kernel.org> wrote:
>
> The fs segment is only used to get the global data pointer.
> If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.
>
> To specify the byte-granule limit size, drop the G bit, so the
> flag field is 0x8093 instead of 0xc093, and set the limit field
> to sizeof(new_gd->arch.gd_addr) - 1.
>
> Signed-off-by: Masahiro Yamada <masahiroy at kernel.org>
> ---
>
> arch/x86/cpu/i386/cpu.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c
> index 2b27617ca3a4..72fefdd3adca 100644
> --- a/arch/x86/cpu/i386/cpu.c
> +++ b/arch/x86/cpu/i386/cpu.c
> @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd)
>
> /* FS: data, read/write, 4 GB, base (Global Data Pointer) */
nits: this comment should be updated too
> new_gd->arch.gd_addr = new_gd;
> - gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093,
> - (ulong)&new_gd->arch.gd_addr, 0xfffff);
> + gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093,
> + (ulong)&new_gd->arch.gd_addr,
> + sizeof(new_gd->arch.gd_addr) - 1);
>
> /* 16-bit CS: code, read/execute, 64 kB, base 0 */
> gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);
> --
Reviewed-by: Bin Meng <bmeng.cn at gmail.com>
Tested-by: Bin Meng <bmeng.cn at gmail.com>
More information about the U-Boot
mailing list