Fwd: ioperm is preserved across fork and execve, but iopl is not

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* Fwd: ioperm is preserved across fork and execve, but iopl is not
       [not found] <CAMMLpeSCiF3ibkG+z0AG3RxF3-1ijbitDKPNjoHuZYJZLDPSEw@mail.gmail.com>
@ 2015-05-11 20:49 ` Alex Henrie
  2015-05-11 20:56   ` H. Peter Anvin
  2015-05-11 21:11   ` One Thousand Gnomes
  0 siblings, 2 replies; 4+ messages in thread
From: Alex Henrie @ 2015-05-11 20:49 UTC (permalink / raw)
  To: Kees Cook, H. Peter Anvin, Doug Johnson, Thomas Gleixner,
	Ingo Molnar, Tyler Hicks, Al Viro, linux-kernel

[-- Attachment #1: Type: text/plain, Size: 1091 bytes --]

Dear kernel developers,

The ioperm and iopl calls are both used to grant a process permission
to access I/O devices directly. iopl(3) is equivalent to ioperm(0,
0xFFFF, 1). However, permissions granted through ioperm are preserved
across fork and execve, and permissions granted through iopl are not.
This makes no sense: The two calls do the same thing, so there is no
security benefit to dropping one on fork or execve but not the other.

As recently as October 2012, 32-bit Linux kernels preserved both iopl
and ioperm across fork and execve, but the behavior of iopl changed
with this commit:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kernel/process_32.c?id=6783eaa2e1253fbcbe2c2f6bb4c843abf1343caf

And the man page for iopl continues to state "permissions are
inherited by fork and execve": http://linux.die.net/man/2/iopl

A test program demonstrating the problem is attached, and I will send
a proposed patch shortly. CAP_SYS_RAWIO is still required to use
ioperm or iopl.

Please CC me on any reply, as I am not subscribed to the LKML.

-Alex

[-- Attachment #2: iopl3.c --]
[-- Type: text/x-csrc, Size: 267 bytes --]

#include <stdio.h>
#include <unistd.h>

int main(int argc, char* argv[])
{
    if (iopl(3) == -1)
    {
        perror("iopl");
        return 1;
    }

    if (execvp(argv[1], &argv[1]) == -1)
    {
        perror("execvp");
        return 1;
    }

    return 0;
}

[-- Attachment #3: beep.c --]
[-- Type: text/x-csrc, Size: 499 bytes --]

//Plays a tone on the system speaker for 1 second

#include <stdio.h>

int main()
{
    __asm__("movb $0xB6, %al\n"
            "outb %al, $0x43\n"
            "inb $0x61, %al\n"
            "orb $0x03, %al\n"
            "outb %al, $0x61\n"
            "movb $0x64, %al\n"
            "outb %al, $0x42\n"
            "movb $0x01, %al\n"
            "outb %al, $0x42\n");
    sleep(1);
    __asm__("inb $0x61, %al\n"
            "andb $0xFC, %al\n"
            "outb %al, $0x61\n");
    return 0;
}

[-- Attachment #4: test.sh --]
[-- Type: application/x-sh, Size: 103 bytes --]

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: Fwd: ioperm is preserved across fork and execve, but iopl is not
  2015-05-11 20:49 ` Fwd: ioperm is preserved across fork and execve, but iopl is not Alex Henrie
@ 2015-05-11 20:56   ` H. Peter Anvin
  2015-05-11 21:11   ` One Thousand Gnomes
  1 sibling, 0 replies; 4+ messages in thread
From: H. Peter Anvin @ 2015-05-11 20:56 UTC (permalink / raw)
  To: Alex Henrie, Kees Cook, Doug Johnson, Thomas Gleixner,
	Ingo Molnar, Tyler Hicks, Al Viro, linux-kernel

On 05/11/2015 01:49 PM, Alex Henrie wrote:
> 
> The ioperm and iopl calls are both used to grant a process permission
> to access I/O devices directly. iopl(3) is equivalent to ioperm(0,
> 0xFFFF, 1). However, permissions granted through ioperm are preserved
> across fork and execve, and permissions granted through iopl are not.
> This makes no sense: The two calls do the same thing, so there is no
> security benefit to dropping one on fork or execve but not the other.
> 

They don't, in fact.  An iopl(3) process is allowed to disable
interrupts in user space, which an ioperm() process is not.

This is a HUGE deal.  This really makes me wonder if iopl(3) should be
allowed at all, or if we should just intercept it and treat it as ioperm().
	
	-hpa



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ioperm is preserved across fork and execve, but iopl is not
  2015-05-11 20:49 ` Fwd: ioperm is preserved across fork and execve, but iopl is not Alex Henrie
  2015-05-11 20:56   ` H. Peter Anvin
@ 2015-05-11 21:11   ` One Thousand Gnomes
  2015-05-11 21:23     ` Alex Henrie
  1 sibling, 1 reply; 4+ messages in thread
From: One Thousand Gnomes @ 2015-05-11 21:11 UTC (permalink / raw)
  To: Alex Henrie
  Cc: Kees Cook, H. Peter Anvin, Doug Johnson, Thomas Gleixner,
	Ingo Molnar, Tyler Hicks, Al Viro, linux-kernel

> As recently as October 2012, 32-bit Linux kernels preserved both iopl
> and ioperm across fork and execve, but the behavior of iopl changed
> with this commit:
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/arch/x86/kernel/process_32.c?id=6783eaa2e1253fbcbe2c2f6bb4c843abf1343caf

Missed this thread initially. That perhaps does argue for it being safer
to put back.

> And the man page for iopl continues to state "permissions are
> inherited by fork and execve": http://linux.die.net/man/2/iopl
> 
> A test program demonstrating the problem is attached

Is there a real world use case ?

Alan

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: ioperm is preserved across fork and execve, but iopl is not
  2015-05-11 21:11   ` One Thousand Gnomes
@ 2015-05-11 21:23     ` Alex Henrie
  0 siblings, 0 replies; 4+ messages in thread
From: Alex Henrie @ 2015-05-11 21:23 UTC (permalink / raw)
  To: One Thousand Gnomes
  Cc: Kees Cook, H. Peter Anvin, Doug Johnson, Thomas Gleixner,
	Ingo Molnar, Tyler Hicks, Al Viro, linux-kernel

2015-05-11 15:11 GMT-06:00 One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>:
> Is there a real world use case ?

Back in 2012 I needed to make a legacy program run that accessed the
parallel port directly. Rewriting the program was not an option. So I
wrote a helper program that used iopl and execve to grant the
necessary permissions, but it only worked on 32-bit kernels. Then I
realized that I could do the same thing with ioperm, and my problem
went away, but the difference in behavior between iopl and ioperm has
bothered me ever since.

2015-05-11 14:56 GMT-06:00 H. Peter Anvin <hpa@zytor.com>:
> An iopl(3) process is allowed to disable
> interrupts in user space, which an ioperm() process is not.
>
> This is a HUGE deal.  This really makes me wonder if iopl(3) should be
> allowed at all, or if we should just intercept it and treat it as ioperm().

I thought the general philosophy is that a privileged process can do
anything it wants to. Removing the ability to disable interrupts in
user space, or removing the ability to use iopl across execve, seems
contrary to that goal.

Still, if there is a security concern resulting from preserving iopl
across execve, maybe the best thing to do is leave iopl and ioperm
exactly as they are, update the documentation, and tell people to use
ioperm whenever possible.

-Alex

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2015-05-11 21:23 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <CAMMLpeSCiF3ibkG+z0AG3RxF3-1ijbitDKPNjoHuZYJZLDPSEw@mail.gmail.com>
2015-05-11 20:49 ` Fwd: ioperm is preserved across fork and execve, but iopl is not Alex Henrie
2015-05-11 20:56   ` H. Peter Anvin
2015-05-11 21:11   ` One Thousand Gnomes
2015-05-11 21:23     ` Alex Henrie

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox