[PATCH] x86: Pnp byte granularity

The one remaining caller of set_limit, the PnP BIOS code, calls into the PnP
BIOS, passing kernel parameters in and out.  These parameteres may be passed
from arbitrary kernel virtual memory, so they deserve strict protection to
stop a bad BIOS from smashing beyond the object size.

Unfortunately, the use of set_limit was badly botching this by setting the
limit in terms of pages, when it really should have byte granularity.

When doing this, I discovered my BIOS had the buggy code during the "get
system device node" call:

 mov ax, es:[bx]

Which is harmless, but has a trivial workaround.

Signed-off-by: Zachary Amsden <zach@vmware.com>
Cc: "Seth, Rohit" <rohit.seth@intel.com>
Cc: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>

3 files changed, 11 insertions, 8 deletions

diff --git a/arch/i386/kernel/head.S b/arch/i386/kernel/head.S
index 37b599fa4d1..58d2746670b 100644
--- a/arch/i386/kernel/head.S
+++ b/arch/i386/kernel/head.S
@@ -504,12 +504,12 @@ ENTRY(cpu_gdt_table)
         .quad 0x0000000000000000        /* 0x80 TSS descriptor */
         .quad 0x0000000000000000        /* 0x88 LDT descriptor */
 
-        /* Segments used for calling PnP BIOS */
-        .quad 0x00c09a0000000000        /* 0x90 32-bit code */
-        .quad 0x00809a0000000000        /* 0x98 16-bit code */
-        .quad 0x0080920000000000        /* 0xa0 16-bit data */
-        .quad 0x0080920000000000        /* 0xa8 16-bit data */
-        .quad 0x0080920000000000        /* 0xb0 16-bit data */
+        /* Segments used for calling PnP BIOS have byte granularity */
+        .quad 0x00409a0000000000        /* 0x90 32-bit code */
+        .quad 0x00009a0000000000        /* 0x98 16-bit code */
+        .quad 0x0000920000000000        /* 0xa0 16-bit data */
+        .quad 0x0000920000000000        /* 0xa8 16-bit data */
+        .quad 0x0000920000000000        /* 0xb0 16-bit data */
 
         /*
          * The APM segments have byte granularity and their bases
diff --git a/drivers/pnp/pnpbios/bioscalls.c b/drivers/pnp/pnpbios/bioscalls.c
index 37bacfcdbc5..a72126180e9 100644
--- a/drivers/pnp/pnpbios/bioscalls.c
+++ b/drivers/pnp/pnpbios/bioscalls.c
@@ -283,12 +283,15 @@ int pnp_bios_dev_node_info(struct pnp_dev_node_info *data)
 static int __pnp_bios_get_dev_node(u8 *nodenum, char boot, struct pnp_bios_node *data)
 {
         u16 status;
+        u16 tmp_nodenum;
         if (!pnp_bios_present())
                 return PNP_FUNCTION_NOT_SUPPORTED;
         if ( !boot && pnpbios_dont_use_current_config )
                 return PNP_FUNCTION_NOT_SUPPORTED;
+        tmp_nodenum = *nodenum;
         status = call_pnp_bios(PNP_GET_SYS_DEV_NODE, 0, PNP_TS1, 0, PNP_TS2, boot ? 2 : 1, PNP_DS, 0,
-                               nodenum, sizeof(char), data, 65536);
+                               &tmp_nodenum, sizeof(tmp_nodenum), data, 65536);
+        *nodenum = tmp_nodenum;
         return status;
 }
 
diff --git a/include/asm-i386/system.h b/include/asm-i386/system.h
index 24cc0c8fe34..9c0593b7a94 100644
--- a/include/asm-i386/system.h
+++ b/include/asm-i386/system.h
@@ -54,7 +54,7 @@ __asm__ __volatile__ ("movw %%dx,%1\n\t" \
         ); } while(0)
 
 #define set_base(ldt,base) _set_base( ((char *)&(ldt)) , (base) )
-#define set_limit(ldt,limit) _set_limit( ((char *)&(ldt)) , ((limit)-1)>>12 )
+#define set_limit(ldt,limit) _set_limit( ((char *)&(ldt)) , ((limit)-1) )
 
 /*
  * Load a segment. Fall back on loading the zero