Chuck Ebbert wrote:
On Wed, 10 Aug 2005 at 21:56:20 -0700, [email protected] wrote:
Patch-base: 2.6.13-rc5-mm1
Patch-keys: i386 desc cleanup
Signed-off-by: Zachary Amsden <[email protected]>
Index: linux-2.6.13/include/asm-i386/desc.h
===================================================================
--- linux-2.6.13.orig/include/asm-i386/desc.h 2005-08-09 19:43:38.000000000 -0700
+++ linux-2.6.13/include/asm-i386/desc.h 2005-08-10 20:42:03.000000000 -0700
@@ -14,6 +14,28 @@
#include <asm/mmu.h>
+#define desc_empty(desc) \
+ (!((desc)->a + (desc)->b))
+
I think that should be "|" instead of "+".
I think so too. I merely moved the code here and didn't notice it in
all this excitement.
0x00cf9a000xff306600 =>
Present CPL-0 32-bit code segment, base 0x0000ff30, limit 0xf6601 pages,
for which desc_empty(desc) is true.
Thankfully, this is not used as a security check, but it can falsely
overwrite TLS segments with carefully chosen base / limits. I do not
believe this is an issue in practice, but it is a kernel bug.
Nice catch. Looks like it affects all 2.6.X kernels.
Zach
Chuck Ebbert noticed that the desc_empty macro is incorrect. Fix it.
Signed-off-by: Zachary Amsden <[email protected]>
Index: linux-2.6.13/include/asm-i386/desc.h
===================================================================
--- linux-2.6.13.orig/include/asm-i386/desc.h 2005-08-15 11:23:32.000000000 -0700
+++ linux-2.6.13/include/asm-i386/desc.h 2005-08-16 10:49:03.000000000 -0700
@@ -18,7 +18,7 @@
#include <asm/mmu.h>
#define desc_empty(desc) \
- (!((desc)->a + (desc)->b))
+ (!((desc)->a | (desc)->b))
#define desc_equal(desc1, desc2) \
(((desc1)->a == (desc2)->a) && ((desc1)->b == (desc2)->b))
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
| |
 |