Chuck Ebbert wrote:

>On Wed, 10 Aug 2005 at 21:56:20 -0700, zach@vmware.com wrote:
>
>  
>
>>Patch-base: 2.6.13-rc5-mm1
>>Patch-keys: i386 desc cleanup
>>Signed-off-by: Zachary Amsden <zach@vmware.com>
>>Index: linux-2.6.13/include/asm-i386/desc.h
>>===================================================================
>>--- linux-2.6.13.orig/include/asm-i386/desc.h 2005-08-09 19:43:38.000000000 -0700
>>+++ linux-2.6.13/include/asm-i386/desc.h      2005-08-10 20:42:03.000000000 -0700
>>@@ -14,6 +14,28 @@
>> 
>> #include <asm/mmu.h>
>> 
>>+#define desc_empty(desc) \
>>+             (!((desc)->a + (desc)->b))
>>+
>>    
>>
>
>     I think that should be "|" instead of "+".
>  
>

I think so too.  I merely moved the code here and didn't notice it in 
all this excitement.

0x00cf9a000xff306600  =>

Present CPL-0 32-bit code segment, base 0x0000ff30, limit 0xf6601 pages, 
for which desc_empty(desc) is true.

Thankfully, this is not used as a security check, but it can falsely 
overwrite TLS segments with carefully chosen base / limits.  I do not 
believe this is an issue in practice, but it is a kernel bug.

Nice catch.  Looks like it affects all 2.6.X kernels.

Zach