Message ID | 20200108111342.6738-1-masahiroy@kernel.org |
---|---|
State | Accepted |
Delegated to: | Bin Meng |
Headers | show |
Series | x86: limit the fs segment to the pointer size | expand |
On Wed, 8 Jan 2020 at 04:14, Masahiro Yamada <masahiroy@kernel.org> wrote: > > The fs segment is only used to get the global data pointer. > If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug. > > To specify the byte-granule limit size, drop the G bit, so the > flag field is 0x8093 instead of 0xc093, and set the limit field > to sizeof(new_gd->arch.gd_addr) - 1. > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > --- > > arch/x86/cpu/i386/cpu.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On Wed, Jan 8, 2020 at 7:14 PM Masahiro Yamada <masahiroy@kernel.org> wrote: > > The fs segment is only used to get the global data pointer. > If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug. > > To specify the byte-granule limit size, drop the G bit, so the > flag field is 0x8093 instead of 0xc093, and set the limit field > to sizeof(new_gd->arch.gd_addr) - 1. > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > --- > > arch/x86/cpu/i386/cpu.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c > index 2b27617ca3a4..72fefdd3adca 100644 > --- a/arch/x86/cpu/i386/cpu.c > +++ b/arch/x86/cpu/i386/cpu.c > @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd) > > /* FS: data, read/write, 4 GB, base (Global Data Pointer) */ nits: this comment should be updated too > new_gd->arch.gd_addr = new_gd; > - gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093, > - (ulong)&new_gd->arch.gd_addr, 0xfffff); > + gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093, > + (ulong)&new_gd->arch.gd_addr, > + sizeof(new_gd->arch.gd_addr) - 1); > > /* 16-bit CS: code, read/execute, 64 kB, base 0 */ > gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff); > -- Reviewed-by: Bin Meng <bmeng.cn@gmail.com> Tested-by: Bin Meng <bmeng.cn@gmail.com>
On Mon, Feb 3, 2020 at 12:41 PM Bin Meng <bmeng.cn@gmail.com> wrote: > > On Wed, Jan 8, 2020 at 7:14 PM Masahiro Yamada <masahiroy@kernel.org> wrote: > > > > The fs segment is only used to get the global data pointer. > > If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug. > > > > To specify the byte-granule limit size, drop the G bit, so the > > flag field is 0x8093 instead of 0xc093, and set the limit field > > to sizeof(new_gd->arch.gd_addr) - 1. > > > > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> > > --- > > > > arch/x86/cpu/i386/cpu.c | 5 +++-- > > 1 file changed, 3 insertions(+), 2 deletions(-) > > > > diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c > > index 2b27617ca3a4..72fefdd3adca 100644 > > --- a/arch/x86/cpu/i386/cpu.c > > +++ b/arch/x86/cpu/i386/cpu.c > > @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd) > > > > /* FS: data, read/write, 4 GB, base (Global Data Pointer) */ > > nits: this comment should be updated too Fixed the comments, and > > > new_gd->arch.gd_addr = new_gd; > > - gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093, > > - (ulong)&new_gd->arch.gd_addr, 0xfffff); > > + gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093, > > + (ulong)&new_gd->arch.gd_addr, > > + sizeof(new_gd->arch.gd_addr) - 1); > > > > /* 16-bit CS: code, read/execute, 64 kB, base 0 */ > > gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff); > > -- > > Reviewed-by: Bin Meng <bmeng.cn@gmail.com> > Tested-by: Bin Meng <bmeng.cn@gmail.com> applied to u-boot-x86, thanks!
diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c index 2b27617ca3a4..72fefdd3adca 100644 --- a/arch/x86/cpu/i386/cpu.c +++ b/arch/x86/cpu/i386/cpu.c @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd) /* FS: data, read/write, 4 GB, base (Global Data Pointer) */ new_gd->arch.gd_addr = new_gd; - gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093, - (ulong)&new_gd->arch.gd_addr, 0xfffff); + gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093, + (ulong)&new_gd->arch.gd_addr, + sizeof(new_gd->arch.gd_addr) - 1); /* 16-bit CS: code, read/execute, 64 kB, base 0 */ gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);
The fs segment is only used to get the global data pointer. If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug. To specify the byte-granule limit size, drop the G bit, so the flag field is 0x8093 instead of 0xc093, and set the limit field to sizeof(new_gd->arch.gd_addr) - 1. Signed-off-by: Masahiro Yamada <masahiroy@kernel.org> --- arch/x86/cpu/i386/cpu.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)