[PATCH] x86: limit the fs segment to the pointer size

[PATCH] x86: limit the fs segment to the pointer size

[Masahiro Yamada]

The fs segment is only used to get the global data pointer.
If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.

To specify the byte-granule limit size, drop the G bit, so the
flag field is 0x8093 instead of 0xc093, and set the limit field
to sizeof(new_gd->arch.gd_addr) - 1.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
---

 arch/x86/cpu/i386/cpu.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c
index 2b27617ca3a4..72fefdd3adca 100644
--- a/arch/x86/cpu/i386/cpu.c
+++ b/arch/x86/cpu/i386/cpu.c
@@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd)
 
 	/* FS: data, read/write, 4 GB, base (Global Data Pointer) */
 	new_gd->arch.gd_addr = new_gd;
-	gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093,
-		     (ulong)&new_gd->arch.gd_addr, 0xfffff);
+	gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093,
+					(ulong)&new_gd->arch.gd_addr,
+					sizeof(new_gd->arch.gd_addr) - 1);
 
 	/* 16-bit CS: code, read/execute, 64 kB, base 0 */
 	gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);
-- 
2.17.1

[PATCH] x86: limit the fs segment to the pointer size

[Simon Glass]

On Wed, 8 Jan 2020 at 04:14, Masahiro Yamada <masahiroy@kernel.org> wrote:
>
> The fs segment is only used to get the global data pointer.
> If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.
>
> To specify the byte-granule limit size, drop the G bit, so the
> flag field is 0x8093 instead of 0xc093, and set the limit field
> to sizeof(new_gd->arch.gd_addr) - 1.
>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> ---
>
>  arch/x86/cpu/i386/cpu.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)

Reviewed-by: Simon Glass <sjg@chromium.org>

[PATCH] x86: limit the fs segment to the pointer size

[Bin Meng]

On Wed, Jan 8, 2020 at 7:14 PM Masahiro Yamada <masahiroy@kernel.org> wrote:
>
> The fs segment is only used to get the global data pointer.
> If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.
>
> To specify the byte-granule limit size, drop the G bit, so the
> flag field is 0x8093 instead of 0xc093, and set the limit field
> to sizeof(new_gd->arch.gd_addr) - 1.
>
> Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> ---
>
>  arch/x86/cpu/i386/cpu.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c
> index 2b27617ca3a4..72fefdd3adca 100644
> --- a/arch/x86/cpu/i386/cpu.c
> +++ b/arch/x86/cpu/i386/cpu.c
> @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd)
>
>         /* FS: data, read/write, 4 GB, base (Global Data Pointer) */

nits: this comment should be updated too

>         new_gd->arch.gd_addr = new_gd;
> -       gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093,
> -                    (ulong)&new_gd->arch.gd_addr, 0xfffff);
> +       gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093,
> +                                       (ulong)&new_gd->arch.gd_addr,
> +                                       sizeof(new_gd->arch.gd_addr) - 1);
>
>         /* 16-bit CS: code, read/execute, 64 kB, base 0 */
>         gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);
> --

Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>

[PATCH] x86: limit the fs segment to the pointer size

[Bin Meng]

On Mon, Feb 3, 2020 at 12:41 PM Bin Meng <bmeng.cn@gmail.com> wrote:
>
> On Wed, Jan 8, 2020 at 7:14 PM Masahiro Yamada <masahiroy@kernel.org> wrote:
> >
> > The fs segment is only used to get the global data pointer.
> > If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.
> >
> > To specify the byte-granule limit size, drop the G bit, so the
> > flag field is 0x8093 instead of 0xc093, and set the limit field
> > to sizeof(new_gd->arch.gd_addr) - 1.
> >
> > Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
> > ---
> >
> >  arch/x86/cpu/i386/cpu.c | 5 +++--
> >  1 file changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c
> > index 2b27617ca3a4..72fefdd3adca 100644
> > --- a/arch/x86/cpu/i386/cpu.c
> > +++ b/arch/x86/cpu/i386/cpu.c
> > @@ -137,8 +137,9 @@ void arch_setup_gd(gd_t *new_gd)
> >
> >         /* FS: data, read/write, 4 GB, base (Global Data Pointer) */
>
> nits: this comment should be updated too

Fixed the comments, and

>
> >         new_gd->arch.gd_addr = new_gd;
> > -       gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093,
> > -                    (ulong)&new_gd->arch.gd_addr, 0xfffff);
> > +       gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093,
> > +                                       (ulong)&new_gd->arch.gd_addr,
> > +                                       sizeof(new_gd->arch.gd_addr) - 1);
> >
> >         /* 16-bit CS: code, read/execute, 64 kB, base 0 */
> >         gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);
> > --
>
> Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
> Tested-by: Bin Meng <bmeng.cn@gmail.com>

applied to u-boot-x86, thanks!