diff options
| author | mdodd <mdodd@FreeBSD.org> | 2002-09-19 18:46:25 +0000 |
|---|---|---|
| committer | mdodd <mdodd@FreeBSD.org> | 2002-09-19 18:46:25 +0000 |
| commit | 862a7a02065e4deed0e9939de05e07f75b74325c (patch) | |
| tree | 19a757fda494d69be645f44f6ea3afb3c1b686aa /sys/i386/pci | |
| parent | 2a2c364d7ecbe61c5a970718f58cd23cec7c88c9 (diff) | |
| download | FreeBSD-src-862a7a02065e4deed0e9939de05e07f75b74325c.zip FreeBSD-src-862a7a02065e4deed0e9939de05e07f75b74325c.tar.gz | |
From Christian Zander:
This patch addresses a bug that can cause a GPF in the kernel - if a
process makes use of i386_set_ldt to install a LDT entry, then loads
a corresponding segment descriptor into %gs, forks, and if the child
execs.
In this scenario, setregs executes user_ldt_free and then determines
how to reset the %gs register:
/* reset %gs as well */
if (pcb == curpcb)
load_gs(_udatasel);
else
pcb->pcb_gs = _udatasel;
This is insufficient in the fork/exec case, since pcb will be equal
to curpcb when the child execs; load_gs will reset %gs to _udatasel
but it doesn't reset pcb->pcb_gs; upon return from the system call,
cpu_switch_load_gs will thus attempt to restore %gs from pcb->pcb_gs
and trigger a GPF since all LDT entries have already been cleared.
The fix is to always reset pcb->pcb_gs to _udatasel.
Submitted by: Christian Zander <zander@minion.de>
Reviewed by: jake
Diffstat (limited to 'sys/i386/pci')
0 files changed, 0 insertions, 0 deletions
