summary refs log tree commit diff
path: root/arch/x86_64
diff options
context:
space:
mode:
authorRoland McGrath <roland@redhat.com>2007-07-16 01:03:16 -0700
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-07-18 12:09:01 -0700
commit29eb51101c02df517ca64ec472d7501127ad1da8 (patch)
tree41101a87d0f895414f7e1a7c8676e54d1abedeea /arch/x86_64
parenta267c0a887064720dfab5775a4f09b20b4f8ec37 (diff)
downloadlinux-29eb51101c02df517ca64ec472d7501127ad1da8.tar.gz
Handle bogus %cs selector in single-step instruction decoding
The code for LDT segment selectors was not robust in the face of a bogus
selector set in %cs via ptrace before the single-step was done.

Signed-off-by: Roland McGrath <roland@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'arch/x86_64')
-rw-r--r--arch/x86_64/kernel/ptrace.c23
1 files changed, 16 insertions, 7 deletions
diff --git a/arch/x86_64/kernel/ptrace.c b/arch/x86_64/kernel/ptrace.c
index fa6775ef729f..e83cc67155ac 100644
--- a/arch/x86_64/kernel/ptrace.c
+++ b/arch/x86_64/kernel/ptrace.c
@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(struct task_struct *child, struct pt_regs *r
 		u32 *desc;
 		unsigned long base;
 
-		down(&child->mm->context.sem);
-		desc = child->mm->context.ldt + (seg & ~7);
-		base = (desc[0] >> 16) | ((desc[1] & 0xff) << 16) | (desc[1] & 0xff000000);
+		seg &= ~7UL;
 
-		/* 16-bit code segment? */
-		if (!((desc[1] >> 22) & 1))
-			addr &= 0xffff;
-		addr += base;
+		down(&child->mm->context.sem);
+		if (unlikely((seg >> 3) >= child->mm->context.size))
+			addr = -1L; /* bogus selector, access would fault */
+		else {
+			desc = child->mm->context.ldt + seg;
+			base = ((desc[0] >> 16) |
+				((desc[1] & 0xff) << 16) |
+				(desc[1] & 0xff000000));
+
+			/* 16-bit code segment? */
+			if (!((desc[1] >> 22) & 1))
+				addr &= 0xffff;
+			addr += base;
+		}
 		up(&child->mm->context.sem);
 	}
+
 	return addr;
 }
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-10-19 07:39:41 +0000