core, adv: for CHS mode, the top 40 LBA bits must be zero

The top 40 bits of the LBA must be zero on CHS mode.  Enforce this,
and also fix leak of the drive number into a divide instruction with
resulting overflow.

Reported-by: Gert Hulselmans <gerth@zytor.com>
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>

diff --git a/core/adv.inc b/core/adv.inc
index 76da504..0b45a6c 100644 (file)
--- a/core/adv.inc
+++ b/core/adv.inc
@@ -407,6 +407,9 @@ adv_read_write:
                push eax
                push bp
 
+               and edx,edx                     ; > 2 TiB not possible
+               jnz .cb_overflow
+
                mov dl,[ADVDrive]
                and dl,dl
                ; Floppies: can't trust INT 13h 08h, we better know
@@ -443,6 +446,7 @@ adv_read_write:
                 ; Dividing by sectors to get (track,sector): we may have
                 ; up to 2^18 tracks, so we need to use 32-bit arithmetric.
                 ;
+               xor edx,edx
                 div esi
                 xor cx,cx
                 xchg cx,dx              ; CX <- sector index (0-based)