Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Handle bogus %cs selector in single-step instruction decoding

The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Roland McGrath 18 years ago
parent
a267c0a887
commit
29eb51101c
2 changed files with 31 additions and 14 deletions
Split View Show Diff Stats
  1. 15 7
      arch/i386/kernel/ptrace.c
  2. 16 7
      arch/x86_64/kernel/ptrace.c

+ 15 - 7
arch/i386/kernel/ptrace.c
View File 

@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_linear(struct task_struct *child, struct pt_
 
 		u32 *desc;
 
 		unsigned long base;
 
 
-		down(&child->mm->context.sem);
 
-		desc = child->mm->context.ldt + (seg & ~7);
 
-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
 
+		seg &= ~7UL;
 
 
-		/* 16-bit code segment? */
 
-		if (!((desc[1] >> 22) & 1))
 
-			addr &= 0xffff;
 
-		addr += base;
 
+		down(&child->mm->context.sem);
 
+		if (unlikely((seg >> 3) >= child->mm->context.size))
 
+			addr = -1L; /* bogus selector, access would fault */
 
+		else {
 
+			desc = child->mm->context.ldt + seg;
 
+			base = ((desc[0] >> 16) |
 
+				((desc[1] & 0xff) << 16) |
 
+				(desc[1] & 0xff000000));
 
+
 
+			/* 16-bit code segment? */
 
+			if (!((desc[1] >> 22) & 1))
 
+				addr &= 0xffff;
 
+			addr += base;
 
+		}
 
 		up(&child->mm->context.sem);
 
 	}
 
 	return addr;

+ 16 - 7
arch/x86_64/kernel/ptrace.c
View File 

@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(struct task_struct *child, struct pt_regs *r
 
 		u32 *desc;
 
 		unsigned long base;
 
 
-		down(&child->mm->context.sem);
 
-		desc = child->mm->context.ldt + (seg & ~7);
 
-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
 
+		seg &= ~7UL;
 
 
-		/* 16-bit code segment? */
 
-		if (!((desc[1] >> 22) & 1))
 
-			addr &= 0xffff;
 
-		addr += base;
 
+		down(&child->mm->context.sem);
 
+		if (unlikely((seg >> 3) >= child->mm->context.size))
 
+			addr = -1L; /* bogus selector, access would fault */
 
+		else {
 
+			desc = child->mm->context.ldt + seg;
 
+			base = ((desc[0] >> 16) |
 
+				((desc[1] & 0xff) << 16) |
 
+				(desc[1] & 0xff000000));
 
+
 
+			/* 16-bit code segment? */
 
+			if (!((desc[1] >> 22) & 1))
 
+				addr &= 0xffff;
 
+			addr += base;
 
+		}
 
 		up(&child->mm->context.sem);
 
 	}
 
+
 
 	return addr;
 
 }