X-Git-Url: https://git.saurik.com/apple/xnu.git/blobdiff_plain/d41d1dae2cd00cc08c7982087d1c445180cad9f5..d26ffc64f583ab2d29df48f13518685602bc8832:/osfmk/i386/user_ldt.c

diff --git a/osfmk/i386/user_ldt.c b/osfmk/i386/user_ldt.c
index 45f51361f..35dd2cef7 100644
--- a/osfmk/i386/user_ldt.c
+++ b/osfmk/i386/user_ldt.c
@@ -224,7 +224,6 @@ i386_set_ldt(
 	    } else {
 		bzero(&new_ldt->ldt[start_sel - begin_sel], num_sels * sizeof(struct real_descriptor));
 	    }
-
 	    /*
 	     * Validate descriptors.
 	     * Only allow descriptors with user privileges.
@@ -237,7 +236,7 @@ i386_set_ldt(
 		    case 0:
 		    case ACC_P:
 			/* valid empty descriptor, clear Present preemptively */
-			dp->access &= ~ACC_P;
+			dp->access &= (~ACC_P & 0xff);
 			break;
 		    case ACC_P | ACC_PL_U | ACC_DATA:
 		    case ACC_P | ACC_PL_U | ACC_DATA_W:
@@ -253,6 +252,12 @@ i386_set_ldt(
 			user_ldt_free(new_ldt);
 			return EACCES;
 		}
+		/* Reject attempts to create segments with 64-bit granules */
+		if (dp->granularity & SZ_64) {
+			task_unlock(task);
+			user_ldt_free(new_ldt);
+			return EACCES;
+		}
 	    }
 	}
 
@@ -292,9 +297,9 @@ i386_get_ldt(
 	unsigned int	ldt_count;
 	kern_return_t	err;
 
-	if (start_sel >= 8192)
+	if (start_sel >= LDTSZ)
 	    return EINVAL;
-	if ((uint64_t)start_sel + (uint64_t)num_sels > 8192)
+	if ((uint64_t)start_sel + (uint64_t)num_sels > LDTSZ)
 	    return EINVAL;
 	if (descs == 0)
 	    return EINVAL;
@@ -389,7 +394,7 @@ user_ldt_set(
 	    bcopy(user_ldt->ldt, &ldtp[user_ldt->start],
 		  sizeof(struct real_descriptor) * (user_ldt->count));
 
-	    gdt_desc_p(USER_LDT)->limit_low = (sizeof(struct real_descriptor) * (user_ldt->start + user_ldt->count)) - 1;
+	    gdt_desc_p(USER_LDT)->limit_low = (uint16_t)((sizeof(struct real_descriptor) * (user_ldt->start + user_ldt->count)) - 1);
 
 	    ml_cpu_set_ldt(USER_LDT);
 	} else {