Handle bogus %cs selector in single-step instruction decoding (29eb5110) · Commits · e / devices / android_kernel_xiaomi_markw

arch/i386/kernel/ptrace.c

+15 −7

Original line number	Diff line number	Diff line
		@@ -164,14 +164,22 @@ static unsigned long convert_eip_to_linear(struct task_struct *child, struct pt_
		u32 *desc;
		unsigned long base;

		seg &= ~7UL;

		down(&child->mm->context.sem);
		desc = child->mm->context.ldt + (seg & ~7);
		base = (desc[0] >> 16) \| ((desc[1] & 0xff) << 16) \| (desc[1] & 0xff000000);
		if (unlikely((seg >> 3) >= child->mm->context.size))
		addr = -1L; /* bogus selector, access would fault */
		else {
		desc = child->mm->context.ldt + seg;
		base = ((desc[0] >> 16) \|
		((desc[1] & 0xff) << 16) \|
		(desc[1] & 0xff000000));

		/* 16-bit code segment? */
		if (!((desc[1] >> 22) & 1))
		addr &= 0xffff;
		addr += base;
		}
		up(&child->mm->context.sem);
		}
		return addr;

+16 −7

Original line number	Diff line number	Diff line
		@@ -102,16 +102,25 @@ unsigned long convert_rip_to_linear(struct task_struct child, struct pt_regs r
		u32 *desc;
		unsigned long base;

		seg &= ~7UL;

		down(&child->mm->context.sem);
		desc = child->mm->context.ldt + (seg & ~7);
		base = (desc[0] >> 16) \| ((desc[1] & 0xff) << 16) \| (desc[1] & 0xff000000);
		if (unlikely((seg >> 3) >= child->mm->context.size))
		addr = -1L; /* bogus selector, access would fault */
		else {
		desc = child->mm->context.ldt + seg;
		base = ((desc[0] >> 16) \|
		((desc[1] & 0xff) << 16) \|
		(desc[1] & 0xff000000));

		/* 16-bit code segment? */
		if (!((desc[1] >> 22) & 1))
		addr &= 0xffff;
		addr += base;
		}
		up(&child->mm->context.sem);
		}

		return addr;
		}