[EROS-Arch] EROS security bug
Charles Landau
clandau@macslab.com
Tue, 13 Mar 2001 07:13:27 -0800
"Jonathan S. Shapiro" wrote:
> A segment selector of zero indicates a "null" segment, which is always a
> valid value but not usually a value that will allow the program to make
> progress. The bug was that the sa_IsKernel test wasn't checking for the
> zero value correctly, and therefore was dispatching the process on the
> "it's a kernel process" mis-theory.
>
> Your test case now generates a segment fault, which is puzzling, because
> it should probably generate a bad segment register value. I need to look
> into this further.
The segment fault is correct; it's referencing a nonexistent address. If
you continue from there, the test case will write a null CS, and the
process (at OID 0x101) will get a GP fault. Whether that's the expected
behavior, I don't know.
> Charles Landau wrote:
> >
> > I don't understand the x86 memory architecture and I'm not sure I want
> > to learn. Your fix continues to accept a zero CS, and apparently
> > that's OK. So there was only one bug.
> >