diff options
author | Roland McGrath <roland@redhat.com> | 2007-07-16 04:03:16 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-07-18 15:09:01 -0400 |
commit | 29eb51101c02df517ca64ec472d7501127ad1da8 (patch) | |
tree | 41101a87d0f895414f7e1a7c8676e54d1abedeea /arch/i386/kernel | |
parent | a267c0a887064720dfab5775a4f09b20b4f8ec37 (diff) |
Handle bogus %cs selector in single-step instruction decoding
The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.
Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'arch/i386/kernel')
-rw-r--r-- | arch/i386/kernel/ptrace.c | 22 |
1 files changed, 15 insertions, 7 deletions
diff --git a/arch/i386/kernel/ptrace.c b/arch/i386/kernel/ptrace.c index 1c075f58d1f9..0c8f00e69c4d 100644 --- a/arch/i386/kernel/ptrace.c +++ b/arch/i386/kernel/ptrace.c | |||
@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_linear(struct task_struct *child, struct pt_ | |||
164 | u32 *desc; | 164 | u32 *desc; |
165 | unsigned long base; | 165 | unsigned long base; |
166 | 166 | ||
167 | down(&child->mm->context.sem); | 167 | seg &= ~7UL; |
168 | desc = child->mm->context.ldt + (seg & ~7); | ||
169 | base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000); | ||
170 | 168 | ||
171 | /* 16-bit code segment? */ | 169 | down(&child->mm->context.sem); |
172 | if (!((desc[1] >> 22) & 1)) | 170 | if (unlikely((seg >> 3) >= child->mm->context.size)) |
173 | addr &= 0xffff; | 171 | addr = -1L; /* bogus selector, access would fault */ |
174 | addr += base; | 172 | else { |
173 | desc = child->mm->context.ldt + seg; | ||
174 | base = ((desc[0] >> 16) | | ||
175 | ((desc[1] & 0xff) << 16) | | ||
176 | (desc[1] & 0xff000000)); | ||
177 | |||
178 | /* 16-bit code segment? */ | ||
179 | if (!((desc[1] >> 22) & 1)) | ||
180 | addr &= 0xffff; | ||
181 | addr += base; | ||
182 | } | ||
175 | up(&child->mm->context.sem); | 183 | up(&child->mm->context.sem); |
176 | } | 184 | } |
177 | return addr; | 185 | return addr; |