Fwd: ioperm is preserved across fork and execve, but iopl is not

Fwd: ioperm is preserved across fork and execve, but iopl is not

[Alex Henrie]

[-- Attachment #1: Type: text/plain, Size: 1091 bytes --]

Dear kernel developers,

The ioperm and iopl calls are both used to grant a process permission
to access I/O devices directly. iopl(3) is equivalent to ioperm(0,
0xFFFF, 1). However, permissions granted through ioperm are preserved
across fork and execve, and permissions granted through iopl are not.
This makes no sense: The two calls do the same thing, so there is no
security benefit to dropping one on fork or execve but not the other.

As recently as October 2012, 32-bit Linux kernels preserved both iopl
and ioperm across fork and execve, but the behavior of iopl changed
with this commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kernel/process_32.c?id=6783eaa2e1253fbcbe2c2f6bb4c843abf1343caf

And the man page for iopl continues to state "permissions are
inherited by fork and execve": http://linux.die.net/man/2/iopl

A test program demonstrating the problem is attached, and I will send
a proposed patch shortly. CAP_SYS_RAWIO is still required to use
ioperm or iopl.

Please CC me on any reply, as I am not subscribed to the LKML.

-Alex

[-- Attachment #2: iopl3.c --]
[-- Type: text/x-csrc, Size: 267 bytes --]

#include <stdio.h>
#include <unistd.h>

int main(int argc, char* argv[])
{
    if (iopl(3) == -1)
    {
        perror("iopl");
        return 1;
    }

    if (execvp(argv[1], &argv[1]) == -1)
    {
        perror("execvp");
        return 1;
    }

    return 0;
}

[-- Attachment #3: beep.c --]
[-- Type: text/x-csrc, Size: 499 bytes --]

//Plays a tone on the system speaker for 1 second

#include <stdio.h>

int main()
{
    __asm__("movb $0xB6, %al\n"
            "outb %al, $0x43\n"
            "inb $0x61, %al\n"
            "orb $0x03, %al\n"
            "outb %al, $0x61\n"
            "movb $0x64, %al\n"
            "outb %al, $0x42\n"
            "movb $0x01, %al\n"
            "outb %al, $0x42\n");
    sleep(1);
    __asm__("inb $0x61, %al\n"
            "andb $0xFC, %al\n"
            "outb %al, $0x61\n");
    return 0;
}

[-- Attachment #4: test.sh --]
[-- Type: application/x-sh, Size: 103 bytes --]

Re: Fwd: ioperm is preserved across fork and execve, but iopl is not

[H. Peter Anvin]

On 05/11/2015 01:49 PM, Alex Henrie wrote:
> 
> The ioperm and iopl calls are both used to grant a process permission
> to access I/O devices directly. iopl(3) is equivalent to ioperm(0,
> 0xFFFF, 1). However, permissions granted through ioperm are preserved
> across fork and execve, and permissions granted through iopl are not.
> This makes no sense: The two calls do the same thing, so there is no
> security benefit to dropping one on fork or execve but not the other.
> 

They don't, in fact.  An iopl(3) process is allowed to disable
interrupts in user space, which an ioperm() process is not.

This is a HUGE deal.  This really makes me wonder if iopl(3) should be
allowed at all, or if we should just intercept it and treat it as ioperm().
	
	-hpa

Re: ioperm is preserved across fork and execve, but iopl is not

[One Thousand Gnomes]

> As recently as October 2012, 32-bit Linux kernels preserved both iopl
> and ioperm across fork and execve, but the behavior of iopl changed
> with this commit:
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kernel/process_32.c?id=6783eaa2e1253fbcbe2c2f6bb4c843abf1343caf

Missed this thread initially. That perhaps does argue for it being safer
to put back.

> And the man page for iopl continues to state "permissions are
> inherited by fork and execve": http://linux.die.net/man/2/iopl
> 
> A test program demonstrating the problem is attached

Is there a real world use case ?

Alan

Re: ioperm is preserved across fork and execve, but iopl is not

[Alex Henrie]

2015-05-11 15:11 GMT-06:00 One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>:
> Is there a real world use case ?

Back in 2012 I needed to make a legacy program run that accessed the
parallel port directly. Rewriting the program was not an option. So I
wrote a helper program that used iopl and execve to grant the
necessary permissions, but it only worked on 32-bit kernels. Then I
realized that I could do the same thing with ioperm, and my problem
went away, but the difference in behavior between iopl and ioperm has
bothered me ever since.

2015-05-11 14:56 GMT-06:00 H. Peter Anvin <hpa@zytor.com>:
> An iopl(3) process is allowed to disable
> interrupts in user space, which an ioperm() process is not.
>
> This is a HUGE deal.  This really makes me wonder if iopl(3) should be
> allowed at all, or if we should just intercept it and treat it as ioperm().

I thought the general philosophy is that a privileged process can do
anything it wants to. Removing the ability to disable interrupts in
user space, or removing the ability to use iopl across execve, seems
contrary to that goal.

Still, if there is a security concern resulting from preserving iopl
across execve, maybe the best thing to do is leave iopl and ioperm
exactly as they are, update the documentation, and tell people to use
ioperm whenever possible.

-Alex