From owner-freebsd-bugs  Wed Apr  3 16:30:37 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 04C5437B41B
	for <freebsd-bugs@hub.freebsd.org>; Wed,  3 Apr 2002 16:30:01 -0800 (PST)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g340U0q33198;
	Wed, 3 Apr 2002 16:30:00 -0800 (PST)
	(envelope-from gnats)
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 1178337B405
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  3 Apr 2002 16:20:53 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g340Krh31684;
	Wed, 3 Apr 2002 16:20:53 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200204040020.g340Krh31684@freefall.freebsd.org>
Date: Wed, 3 Apr 2002 16:20:53 -0800 (PST)
From: David Xu <davidx@viasoft.com.cn>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-1.0
Subject: i386/36710: possible privilege level check bug in /sys/i386/isa/ipl.s
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         36710
>Category:       i386
>Synopsis:       possible privilege level check bug in /sys/i386/isa/ipl.s
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Apr 03 16:30:00 PST 2002
>Closed-Date:
>Last-Modified:
>Originator:     David Xu
>Release:        FreeBSD 4.4-stable
>Organization:
Viatech
>Environment:
gulala
>Description:
in file /sys/i386/isa/ipl.s, when system checks if code selector on trap frame is coming from USER level or V86 mode, it first check if it is coming from USER level, this is wrong, it should first check if it is coming from V86 mode, because V86 mode code selector hasn't any privilege level information, checking its privilege level in selector has random value. I have the patch for this bug.
>How-To-Repeat:
      
>Fix:
--- ipl.s.orig	Thu Apr  4 07:37:13 2002
+++ ipl.s	Thu Apr  4 07:57:46 2002
@@ -128,12 +128,14 @@
 	/* Check for ASTs that can be handled now. */
 	testl	$AST_PENDING,_astpending
 	je	doreti_exit
-	testb	$SEL_RPL_MASK,TF_CS(%esp)
-	jne	doreti_ast
 	testl	$PSL_VM,TF_EFLAGS(%esp)
-	je	doreti_exit
+	jz	doreti_UPL
 	cmpl	$1,_in_vm86call
 	jne	doreti_ast
+	jmp	doreti_exit	
+doreti_UPL:
+	testb	$SEL_RPL_MASK,TF_CS(%esp)
+	jnz	doreti_ast
 
 	/*
 	 * doreti_exit -	release MP lock, pop registers, iret.

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message