commit 2fa863e9aa4e9d5638c6a8555a7d71dc38e79b90
author Masahiro Yamada <masahiroy@kernel.org> Wed Jan 08 20:13:42 2020 +0900
committer Bin Meng <bmeng.cn@gmail.com> Tue Feb 04 01:19:26 2020 +0800
tree 66c18fd1385f05498c0662821c3a6277e7d72ed9
parent 0d67fac29f3187e67f4fd3ef15f73e91be2fad12

x86: limit the fs segment to the pointer size

The fs segment is only used to get the global data pointer.
If it is accessed beyond sizeof(new_gd->arch.gd_addr), it is a bug.

To specify the byte-granule limit size, drop the G bit, so the
flag field is 0x8093 instead of 0xc093, and set the limit field
to sizeof(new_gd->arch.gd_addr) - 1.

Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Bin Meng <bmeng.cn@gmail.com>
Tested-by: Bin Meng <bmeng.cn@gmail.com>
[bmeng: fixed the comments about FS segement]
Signed-off-by: Bin Meng <bmeng.cn@gmail.com>

arch/x86/cpu/i386/cpu.c

diff --git a/arch/x86/cpu/i386/cpu.c b/arch/x86/cpu/i386/cpu.c
index 1592b2c..c8da7f1 100644
--- a/arch/x86/cpu/i386/cpu.c
+++ b/arch/x86/cpu/i386/cpu.c
@@ -136,10 +136,14 @@
 	/* DS: data, read/write, 4 GB, base 0 */
 	gdt_addr[X86_GDT_ENTRY_32BIT_DS] = GDT_ENTRY(0xc093, 0, 0xfffff);
 
-	/* FS: data, read/write, 4 GB, base (Global Data Pointer) */
+	/*
+	 * FS: data, read/write, sizeof (Global Data Pointer),
+	 * base (Global Data Pointer)
+	 */
 	new_gd->arch.gd_addr = new_gd;
-	gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0xc093,
-		     (ulong)&new_gd->arch.gd_addr, 0xfffff);
+	gdt_addr[X86_GDT_ENTRY_32BIT_FS] = GDT_ENTRY(0x8093,
+					(ulong)&new_gd->arch.gd_addr,
+					sizeof(new_gd->arch.gd_addr) - 1);
 
 	/* 16-bit CS: code, read/execute, 64 kB, base 0 */
 	gdt_addr[X86_GDT_ENTRY_16BIT_CS] = GDT_ENTRY(0x009b, 0, 0x0ffff);