Bug in IO bitmap handling? Probably exploitable (2.6.5)

From: Stas Sergeev
Date: Fri May 07 2004 - 10:11:51 EST

Next message: Dave Jones: "Re: 2.6.6-rc3-mm2 (4KSTACK)"
Previous message: Daniele Venzano: "Re: [PATCH] sis900 fix (Was: [CHECKER] Resource leaks in driver shutdown functions)"
Next in thread: Linus Torvalds: "Re: Bug in IO bitmap handling? Probably exploitable (2.6.5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello.

The attached is the small program that
tries to write 0x20 to port 0x20.
Normally this should cause SIGSEGV, so
the program should crash.
I think there is a bug in the 2.6
kernels though, which makes it to not
crash if some trivial conditions are
met. Basically it seems that if any process
that obtained an IO access permissions
via ioperm(), exits without explicitly
"dropping" that permissions, the IO
permissions gets "inherited" by all
other processes in the system.
The cause seems to be that exit_thread()
only invalidates the per-thread io_bitmap
pointer, but doesn't invalidate the
per-TSS io_bitmap pointer as well. As the
per-thread pointer is invalidated,
__switch_to() doesn't take care of that
one either, so the per-TSS pointer stays
valid as long as some other process
does ioperm().
Here it is sufficient to start an X server
and exit it, and then the program that
is attached, will not get a SIGSEGV any
more, actually successing with the port
write.
I am also attaching the patch that seems
like fixing the problem - it invalidates
also the per-TSS io_bitmap pointer and
the problem goes away.

Can someone please confirm (or refute)
the presense of the bug there? Because
if it is really a bug, I suppose it can
be exploited, if not for getting root,
then at least to deadlock the machine.

#include <stdio.h>
#include <asm/io.h>

int main()
{
outb(0x20, 0x20);
printf("Fine, I am alive!\n");
return 0;
}

--- linux/arch/i386/kernel/process.c 2004-04-14 09:41:14.000000000 +0400
+++ linux/arch/i386/kernel/process.c 2004-05-07 14:54:13.000000000 +0400
@@ -293,8 +293,11 @@

/* The process may have allocated an io port bitmap... nuke it. */
if (unlikely(NULL != tsk->thread.io_bitmap_ptr)) {
+ int cpu = smp_processor_id();
+ struct tss_struct *tss = init_tss + cpu;
kfree(tsk->thread.io_bitmap_ptr);
tsk->thread.io_bitmap_ptr = NULL;
+ tss->io_bitmap_base = INVALID_IO_BITMAP_OFFSET;
}
}

Scanned by evaluation version of Dr.Web antivirus Daemon
http://drweb.ru/unix/

Next message: Dave Jones: "Re: 2.6.6-rc3-mm2 (4KSTACK)"
Previous message: Daniele Venzano: "Re: [PATCH] sis900 fix (Was: [CHECKER] Resource leaks in driver shutdown functions)"
Next in thread: Linus Torvalds: "Re: Bug in IO bitmap handling? Probably exploitable (2.6.5)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]