- fix flaw in IO bitmap permission handling (anonymous patch)

From the author (see bug #663320) :
  In the code there is a check to verify that an IO bitmap
  is defined (io_base > BX_CPU_THIS_PTR
  tr.cache.u.tss386.limit_scaled) but there is no check if
  an accessed IO port's address actually falls within the
  defined limit of the TSS segment. So if I define an IO
  bitmap with 100 entries, port 101 may or may not be
  allowed depending on whatever bytes follow the TSS in
  memory
This commit is contained in:
Christophe Bothamy 2003-08-24 23:14:52 +00:00
parent 6c66a9a9a9
commit 6977467ed7

View File

@ -1,5 +1,5 @@
///////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////
// $Id: io_pro.cc,v 1.12 2003-03-02 23:59:09 cbothamy Exp $ // $Id: io_pro.cc,v 1.13 2003-08-24 23:14:52 cbothamy Exp $
///////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////
// //
// Copyright (C) 2001 MandrakeSoft S.A. // Copyright (C) 2001 MandrakeSoft S.A.
@ -171,10 +171,11 @@ BX_INFO(("len is %u", len));
BX_PANIC(("allow_io(): TR:io_base <= 103")); BX_PANIC(("allow_io(): TR:io_base <= 103"));
} }
if (io_base > BX_CPU_THIS_PTR tr.cache.u.tss386.limit_scaled) { if ( (Bit16s) (addr/8) > (BX_CPU_THIS_PTR tr.cache.u.tss386.limit_scaled - io_base)) {
BX_INFO(("allow_io(): CPL > IOPL: no IO bitmap defined #GP(0)")); BX_INFO(("allow_io(): IO adr %x outside TSS IO permission map (max port=%x) #GP(0)",
addr, 8*(BX_CPU_THIS_PTR tr.cache.u.tss386.limit_scaled - io_base) ));
return(0); return(0);
} }
access_linear(BX_CPU_THIS_PTR tr.cache.u.tss386.base + io_base + addr/8, access_linear(BX_CPU_THIS_PTR tr.cache.u.tss386.base + io_base + addr/8,
2, 0, BX_READ, &permission16); 2, 0, BX_READ, &permission16);