<date>
04/2001

<title>
kernel ldt sysi86()

<os>
Solaris 2.7 2.8 x86

<info>
the code installs trap call gate descriptor with DPL=3 targeting kernel
code segment selector KCSSEL (DPL=0) in task local descriptor table LDT
through sysi86(SI86DSCR,struct ssd*) system call.

as a result command shell is spawned with effective root user privilege.

<link>
SOLARIS/solx86_ldt.c

<file>
SOLARIS/solx86_ldt.c

