Date: Wed, 3 Apr 2002 16:20:53 -0800 (PST) From: David Xu <davidx@viasoft.com.cn> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/36710: possible privilege level check bug in /sys/i386/isa/ipl.s Message-ID: <200204040020.g340Krh31684@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 36710 >Category: i386 >Synopsis: possible privilege level check bug in /sys/i386/isa/ipl.s >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Apr 03 16:30:00 PST 2002 >Closed-Date: >Last-Modified: >Originator: David Xu >Release: FreeBSD 4.4-stable >Organization: Viatech >Environment: gulala >Description: in file /sys/i386/isa/ipl.s, when system checks if code selector on trap frame is coming from USER level or V86 mode, it first check if it is coming from USER level, this is wrong, it should first check if it is coming from V86 mode, because V86 mode code selector hasn't any privilege level information, checking its privilege level in selector has random value. I have the patch for this bug. >How-To-Repeat: >Fix: --- ipl.s.orig Thu Apr 4 07:37:13 2002 +++ ipl.s Thu Apr 4 07:57:46 2002 @@ -128,12 +128,14 @@ /* Check for ASTs that can be handled now. */ testl $AST_PENDING,_astpending je doreti_exit - testb $SEL_RPL_MASK,TF_CS(%esp) - jne doreti_ast testl $PSL_VM,TF_EFLAGS(%esp) - je doreti_exit + jz doreti_UPL cmpl $1,_in_vm86call jne doreti_ast + jmp doreti_exit +doreti_UPL: + testb $SEL_RPL_MASK,TF_CS(%esp) + jnz doreti_ast /* * doreti_exit - release MP lock, pop registers, iret. >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204040020.g340Krh31684>