diff options
| author | Masahiro Yamada | 2020-01-08 20:13:42 +0900 |
|---|---|---|
| committer | Bin Meng | 2020-02-04 01:19:26 +0800 |
| commit | 2fa863e9aa4e9d5638c6a8555a7d71dc38e79b90 (patch) | |
| tree | 66c18fd1385f05498c0662821c3a6277e7d72ed9 /arch/x86/cpu/i386 | |
| parent | 0d67fac29f3187e67f4fd3ef15f73e91be2fad12 (diff) | |
x86: limit the fs segment to the pointer size
The fs segment is only used to get the global data pointer.
If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.
To specify the byte-granule limit size, drop the G bit, so the
flag field is 0x8093 instead of 0xc093, and set the limit field
to sizeof(new_gd->arch.gd_addr) - 1.
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
[bmeng: fixed the comments about FS segement]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>
Diffstat (limited to 'arch/x86/cpu/i386')
| -rw-r--r-- | arch/x86/cpu/i386/cpu.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c index 1592b2c9d3b..c8da7f10e9b 100644 --- a/arch/x86/cpu/i386/cpu.c +++ b/arch/x86/cpu/i386/cpu.c @@ -136,10 +136,14 @@ void arch_setup_gd(gd_t *new_gd) /* DS: data, read/write, 4 GB, base 0 */ gdt_addr[X86_GDT_ENTRY_32BIT_DS] = GDT_ENTRY(0xc093, 0, 0xfffff); - /* FS: data, read/write, 4 GB, base (Global Data Pointer) */ + /* + * FS: data, read/write, sizeof (Global Data Pointer), + * base (Global Data Pointer) + */ new_gd->arch.gd_addr = new_gd; - gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093, - (ulong)&new_gd->arch.gd_addr, 0xfffff); + gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093, + (ulong)&new_gd->arch.gd_addr, + sizeof(new_gd->arch.gd_addr) - 1); /* 16-bit CS: code, read/execute, 64 kB, base 0 */ gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff); |