[src/netbsd-1-5]: src Pullup sys/arch/i386/i386/sys_machdep.c 1.55 [sommerfeld]:

[tv <tv%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/054788c370b4
branches:  netbsd-1-5
changeset: 490477:054788c370b4
user:      tv <tv%NetBSD.org@localhost>
date:      Wed Jan 17 01:44:52 2001 +0000

description:
Pullup sys/arch/i386/i386/sys_machdep.c 1.55 [sommerfeld]:
Validate gate targets.
Fix by myself and Charles Hannum.

diffstat:

 CHANGES-1.5.1                    |   6 +++++-
 sys/arch/i386/i386/sys_machdep.c |  13 ++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diffs (44 lines):

diff -r c35ed462a366 -r 054788c370b4 CHANGES-1.5.1
--- a/CHANGES-1.5.1     Sun Dec 31 21:30:56 2000 +0000
+++ b/CHANGES-1.5.1     Wed Jan 17 01:44:52 2001 +0000
@@ -1,4 +1,4 @@
-#      $NetBSD: CHANGES-1.5.1,v 1.1.2.16 2000/12/31 21:30:56 jhawk Exp $
+#      $NetBSD: CHANGES-1.5.1,v 1.1.2.17 2001/01/17 01:44:52 tv Exp $
 
 A complete list of changes from NetBSD 1.5 to NetBSD 1.5.1:
 
@@ -444,3 +444,7 @@
   to 12.4.13+wpaul, and support the Netgear GA620T copper gigabit card,
   and the Alteon ACEnic 100baseSX and 1000baseT gigabit cards. Various
   small changes from FreeBSD.
+
+sys/arch/i386/i386/sys_machdep.c                1.55
+
+  Validate gate targets correctly.
diff -r c35ed462a366 -r 054788c370b4 sys/arch/i386/i386/sys_machdep.c
--- a/sys/arch/i386/i386/sys_machdep.c  Sun Dec 31 21:30:56 2000 +0000
+++ b/sys/arch/i386/i386/sys_machdep.c  Wed Jan 17 01:44:52 2001 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: sys_machdep.c,v 1.48 1999/05/12 19:28:29 thorpej Exp $ */
+/*     $NetBSD: sys_machdep.c,v 1.48.14.1 2001/01/17 01:44:52 tv Exp $ */
 
 /*-
  * Copyright (c) 1998 The NetBSD Foundation, Inc.
@@ -317,6 +317,17 @@
                        break;
                case SDT_SYS286CGT:
                case SDT_SYS386CGT:
+                       /*
+                        * Only allow call gates targeting a segment
+                        * in the LDT or a user segment in the fixed
+                        * part of the gdt.  Segments in the LDT are
+                        * constrained (below) to be user segments.
+                        */
+                       if (desc.gd.gd_p != 0 && !ISLDT(desc.gd.gd_selector) &&
+                           ((IDXSEL(desc.gd.gd_selector) >= NGDT) ||
+                            (gdt[IDXSEL(desc.gd.gd_selector)].sd.sd_dpl !=
+                                SEL_UPL)))
+                               return (EACCES);
                        /* Can't replace in use descriptor with gate. */
                        if (n == fsslot || n == gsslot)
                                return (EBUSY);