ia64/xen-unstable

changeset 802:f4b23abe3038

bitkeeper revision 1.491 (3f832fbdOKWxUmK2ZYQ1DMaJhGFEwA)

desc.h, memory.c, process.c, mm.c:
Fix up memory-management security checking.
author kaf24@scramble.cl.cam.ac.uk
date Tue Oct 07 21:27:25 2003 +0000 (2003-10-07)
parents 209fcea923d4
children 54d82b047eb4
files xen/arch/i386/mm.c xen/arch/i386/process.c xen/common/memory.c xen/include/asm-i386/desc.h
line diff
     1.1 --- a/xen/arch/i386/mm.c	Tue Oct 07 20:13:19 2003 +0000
     1.2 +++ b/xen/arch/i386/mm.c	Tue Oct 07 21:27:25 2003 +0000
     1.3 @@ -129,9 +129,10 @@ long do_stack_switch(unsigned long ss, u
     1.4      int nr = smp_processor_id();
     1.5      struct tss_struct *t = &init_tss[nr];
     1.6  
     1.7 -    if ( !VALID_DATASEL(ss) )
     1.8 -        return -EINVAL;
     1.9 -
    1.10 +    /*
    1.11 +     * No need to check validity: CPU will fault if SS or ESP is bad. This is
    1.12 +     * true even for a fast trap: a bad SS:ESP will get us either a #SS or #TS.
    1.13 +     */
    1.14      current->thread.ss1  = ss;
    1.15      current->thread.esp1 = esp;
    1.16      t->ss1  = ss;
     2.1 --- a/xen/arch/i386/process.c	Tue Oct 07 20:13:19 2003 +0000
     2.2 +++ b/xen/arch/i386/process.c	Tue Oct 07 21:27:25 2003 +0000
     2.3 @@ -253,6 +253,15 @@ void switch_to(struct task_struct *prev_
     2.4             &next_p->shared_info->execution_context,
     2.5             sizeof(*stack_ec));
     2.6  
     2.7 +    /*
     2.8 +     * This is sufficient! If the descriptor DPL differs from CS RPL
     2.9 +     * then we'll #GP. If DS, ES, FS, GS are DPL 0 then they'll be
    2.10 +     * cleared automatically. If SS RPL or DPL differs from CS RPL
    2.11 +     * then we'll #GP.
    2.12 +     */
    2.13 +    if ( (stack_ec->cs & 3) == 0 )
    2.14 +        stack_ec->cs = 0;
    2.15 +
    2.16      unlazy_fpu(prev_p);
    2.17  
    2.18      /* Switch the fast-trap handler. */
     3.1 --- a/xen/common/memory.c	Tue Oct 07 20:13:19 2003 +0000
     3.2 +++ b/xen/common/memory.c	Tue Oct 07 21:27:25 2003 +0000
     3.3 @@ -816,12 +816,15 @@ int do_process_page_updates(page_update_
     3.4                  case PGT_l2_page_table: 
     3.5                      err = mod_l2_entry((l2_pgentry_t *)req.ptr, 
     3.6                                         mk_l2_pgentry(req.val)); 
     3.7 -                    break;
     3.8 -                default:
     3.9 +                    break;                    
    3.10 +                case PGT_none:
    3.11                      MEM_LOG("Update to non-pt page %08lx", req.ptr);
    3.12                      *(unsigned long *)req.ptr = req.val;
    3.13                      err = 0;
    3.14                      break;
    3.15 +                default:
    3.16 +                    MEM_LOG("Update to bad page %08lx", req.ptr);
    3.17 +                    break;
    3.18                  }
    3.19              }
    3.20              else
     4.1 --- a/xen/include/asm-i386/desc.h	Tue Oct 07 20:13:19 2003 +0000
     4.2 +++ b/xen/include/asm-i386/desc.h	Tue Oct 07 21:27:25 2003 +0000
     4.3 @@ -14,21 +14,19 @@
     4.4  #define load_TR(n)  __asm__ __volatile__ ("ltr  %%ax" : : "a" (__TSS(n)<<3) )
     4.5  
     4.6  /*
     4.7 - * Guest OS must provide its own code selectors, or use the one we provide.
     4.8 - * The RPL must be 1, as we only create bounce frames to ring 1.
     4.9 - * Any LDT selector value is okay.
    4.10 + * Guest OS must provide its own code selectors, or use the one we provide. The
    4.11 + * RPL must be 1, as we only create bounce frames to ring 1. Any LDT selector
    4.12 + * value is okay. Note that checking only the RPL is insufficient: if the
    4.13 + * selector is poked into an interrupt, trap or call gate then the RPL is
    4.14 + * ignored when the gate is accessed.
    4.15   */
    4.16 -
    4.17  #define VALID_SEL(_s)                                                      \
    4.18      (((((_s)>>3) < FIRST_RESERVED_GDT_ENTRY) ||                            \
    4.19        (((_s)>>3) >  LAST_RESERVED_GDT_ENTRY) ||                            \
    4.20        ((_s)&4)) &&                                                         \
    4.21       (((_s)&3) == 1))
    4.22 -
    4.23  #define VALID_CODESEL(_s) ((_s) == FLAT_RING1_CS || VALID_SEL(_s))
    4.24  
    4.25 -#define VALID_DATASEL(_s) ((_s) == FLAT_RING1_DS || VALID_SEL(_s))
    4.26 -
    4.27  /* These are bitmasks for the first 32 bits of a descriptor table entry. */
    4.28  #define _SEGMENT_TYPE    (15<< 8)
    4.29  #define _SEGMENT_S       ( 1<<12) /* System descriptor (yes iff S==0) */