On Thu, Apr 26, 2001 at 03:41:49PM +0200, Florian Weimer wrote: > > Has anybody looked at the LDT modification syscall in the Linux > kernel? The most severe problems with it were fixed back in 1997 or > so, but the code seems to have changed substantially since then. As far as I can see Linux modify_ldt syscall only allows you to create code/data segments, not system descriptors (e.g. call gates). It is true that some of the values are OR'd in to the destination descriptor without masking. However, system segments need bit 12 of entry_2 set to 0, and there is a fixed or with 0x7000 which thwarts this possibility (lucky the Intel designers didn't choose the inverse logic!), and also enforces privilege level 3. I doubt there's anything nasty one can do with regular segment descriptors at DPL 3, since the user already has ones spanning the entire address space. Matt
This archive was generated by hypermail 2b30 : Fri Apr 27 2001 - 01:11:28 PDT