* Bug in IO bitmap handling? Probably exploitable (2.6.5)
@ 2004-05-07 15:09 Stas Sergeev
2004-05-07 16:38 ` Linus Torvalds
0 siblings, 1 reply; 2+ messages in thread
From: Stas Sergeev @ 2004-05-07 15:09 UTC (permalink / raw)
To: linux-kernel
[-- Attachment #1: Type: text/plain, Size: 1319 bytes --]
Hello.
The attached is the small program that
tries to write 0x20 to port 0x20.
Normally this should cause SIGSEGV, so
the program should crash.
I think there is a bug in the 2.6
kernels though, which makes it to not
crash if some trivial conditions are
met. Basically it seems that if any process
that obtained an IO access permissions
via ioperm(), exits without explicitly
"dropping" that permissions, the IO
permissions gets "inherited" by all
other processes in the system.
The cause seems to be that exit_thread()
only invalidates the per-thread io_bitmap
pointer, but doesn't invalidate the
per-TSS io_bitmap pointer as well. As the
per-thread pointer is invalidated,
__switch_to() doesn't take care of that
one either, so the per-TSS pointer stays
valid as long as some other process
does ioperm().
Here it is sufficient to start an X server
and exit it, and then the program that
is attached, will not get a SIGSEGV any
more, actually successing with the port
write.
I am also attaching the patch that seems
like fixing the problem - it invalidates
also the per-TSS io_bitmap pointer and
the problem goes away.
Can someone please confirm (or refute)
the presense of the bug there? Because
if it is really a bug, I suppose it can
be exploited, if not for getting root,
then at least to deadlock the machine.
[-- Attachment #2: port.c --]
[-- Type: text/plain, Size: 121 bytes --]
#include <stdio.h>
#include <asm/io.h>
int main()
{
outb(0x20, 0x20);
printf("Fine, I am alive!\n");
return 0;
}
[-- Attachment #3: tss_iobtm.diff --]
[-- Type: text/plain, Size: 503 bytes --]
--- linux/arch/i386/kernel/process.c 2004-04-14 09:41:14.000000000 +0400
+++ linux/arch/i386/kernel/process.c 2004-05-07 14:54:13.000000000 +0400
@@ -293,8 +293,11 @@
/* The process may have allocated an io port bitmap... nuke it. */
if (unlikely(NULL != tsk->thread.io_bitmap_ptr)) {
+ int cpu = smp_processor_id();
+ struct tss_struct *tss = init_tss + cpu;
kfree(tsk->thread.io_bitmap_ptr);
tsk->thread.io_bitmap_ptr = NULL;
+ tss->io_bitmap_base = INVALID_IO_BITMAP_OFFSET;
}
}
[-- Attachment #4: Type: text/plain, Size: 82 bytes --]
Scanned by evaluation version of Dr.Web antivirus Daemon
http://drweb.ru/unix/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Bug in IO bitmap handling? Probably exploitable (2.6.5)
2004-05-07 15:09 Bug in IO bitmap handling? Probably exploitable (2.6.5) Stas Sergeev
@ 2004-05-07 16:38 ` Linus Torvalds
0 siblings, 0 replies; 2+ messages in thread
From: Linus Torvalds @ 2004-05-07 16:38 UTC (permalink / raw)
To: Stas Sergeev; +Cc: linux-kernel
On Fri, 7 May 2004, Stas Sergeev wrote:
>
> Can someone please confirm (or refute) the presense of the bug there?
Looks very true, and your patch looks fine too, except we should use
"get_cpu()" and "put_cpu()" to make sure that kernel preemption does not
change the CPU in the middle of the operation.
Thanks,
Linus
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2004-05-07 16:38 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-05-07 15:09 Bug in IO bitmap handling? Probably exploitable (2.6.5) Stas Sergeev
2004-05-07 16:38 ` Linus Torvalds
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox