Date: Wed, 3 Apr 2002 16:20:53 -0800 (PST) From: David Xu <davidx@viasoft.com.cn> To: freebsd-gnats-submit@FreeBSD.org Subject: i386/36710: possible privilege level check bug in /sys/i386/isa/ipl.s Message-ID: <200204040020.g340Krh31684@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 36710
>Category: i386
>Synopsis: possible privilege level check bug in /sys/i386/isa/ipl.s
>Confidential: no
>Severity: critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 03 16:30:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator: David Xu
>Release: FreeBSD 4.4-stable
>Organization:
Viatech
>Environment:
gulala
>Description:
in file /sys/i386/isa/ipl.s, when system checks if code selector on trap frame is coming from USER level or V86 mode, it first check if it is coming from USER level, this is wrong, it should first check if it is coming from V86 mode, because V86 mode code selector hasn't any privilege level information, checking its privilege level in selector has random value. I have the patch for this bug.
>How-To-Repeat:
>Fix:
--- ipl.s.orig Thu Apr 4 07:37:13 2002
+++ ipl.s Thu Apr 4 07:57:46 2002
@@ -128,12 +128,14 @@
/* Check for ASTs that can be handled now. */
testl $AST_PENDING,_astpending
je doreti_exit
- testb $SEL_RPL_MASK,TF_CS(%esp)
- jne doreti_ast
testl $PSL_VM,TF_EFLAGS(%esp)
- je doreti_exit
+ jz doreti_UPL
cmpl $1,_in_vm86call
jne doreti_ast
+ jmp doreti_exit
+doreti_UPL:
+ testb $SEL_RPL_MASK,TF_CS(%esp)
+ jnz doreti_ast
/*
* doreti_exit - release MP lock, pop registers, iret.
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204040020.g340Krh31684>