]> git.saurik.com Git - apple/xnu.git/blobdiff - osfmk/i386/user_ldt.c
projects / apple / xnu.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
xnu-4570.71.2.tar.gz
[apple/xnu.git] / osfmk / i386 / user_ldt.c
diff --git a/osfmk/i386/user_ldt.c b/osfmk/i386/user_ldt.c
index 45f51361f95fdfc9021c213d5e75b89d11e66375..35dd2cef786250a813c63b76ef44612c0a45efd7 100644 (file)
--- a/osfmk/i386/user_ldt.c
+++ b/osfmk/i386/user_ldt.c
@@ -224,7 +224,6 @@ i386_set_ldt(
            } else {
                bzero(&new_ldt->ldt[start_sel - begin_sel], num_sels * sizeof(struct real_descriptor));
            }
-
            /*
             * Validate descriptors.
             * Only allow descriptors with user privileges.
@@ -237,7 +236,7 @@ i386_set_ldt(
                    case 0:
                    case ACC_P:
                        /* valid empty descriptor, clear Present preemptively */
-                       dp->access &= ~ACC_P;
+                       dp->access &= (~ACC_P & 0xff);
                        break;
                    case ACC_P | ACC_PL_U | ACC_DATA:
                    case ACC_P | ACC_PL_U | ACC_DATA_W:
@@ -253,6 +252,12 @@ i386_set_ldt(
                        user_ldt_free(new_ldt);
                        return EACCES;
                }
+               /* Reject attempts to create segments with 64-bit granules */
+               if (dp->granularity & SZ_64) {
+                       task_unlock(task);
+                       user_ldt_free(new_ldt);
+                       return EACCES;
+               }
            }
        }
 
@@ -292,9 +297,9 @@ i386_get_ldt(
        unsigned int    ldt_count;
        kern_return_t   err;
 
-       if (start_sel >= 8192)
+       if (start_sel >= LDTSZ)
            return EINVAL;
-       if ((uint64_t)start_sel + (uint64_t)num_sels > 8192)
+       if ((uint64_t)start_sel + (uint64_t)num_sels > LDTSZ)
            return EINVAL;
        if (descs == 0)
            return EINVAL;
@@ -389,7 +394,7 @@ user_ldt_set(
            bcopy(user_ldt->ldt, &ldtp[user_ldt->start],
                  sizeof(struct real_descriptor) * (user_ldt->count));
 
-           gdt_desc_p(USER_LDT)->limit_low = (sizeof(struct real_descriptor) * (user_ldt->start + user_ldt->count)) - 1;
+           gdt_desc_p(USER_LDT)->limit_low = (uint16_t)((sizeof(struct real_descriptor) * (user_ldt->start + user_ldt->count)) - 1);
 
            ml_cpu_set_ldt(USER_LDT);
        } else {
mirror of XNU