Martin J. Bligh wrote:
> http://bugme.osdl.org/show_bug.cgi?id=703
>
> Summary: Security vulnerability in "ioperm" system call
> Kernel Version: 2.5.69
> Status: NEW
> Severity: low
> Owner: mbligh@aracnet.com
> Submitter: dave_matthew@yahoo.com
>
>
> Problem Description:
> The "ioperm" system call allows an unprivileged user to gain read and write
> access to I/O ports on the system. When used by a privileged process, the
> "ioperm" system call also fails to properly restrict privileges.
This patch makes sure that the ioperm bitmap in the TSS is correctly set
up during the first ioperm() call. Without this the TSS bitmap contains
random garbage until the next context switch.
-- Brian Gerst
diff -urN linux-2.5.64-bk5/arch/i386/kernel/ioport.c linux/arch/i386/kernel/ioport.c --- linux-2.5.64-bk5/arch/i386/kernel/ioport.c 2003-02-24 14:59:03.000000000 -0500 +++ linux/arch/i386/kernel/ioport.c 2003-03-14 10:19:48.000000000 -0500 @@ -84,15 +84,17 @@ t->ts_io_bitmap = bitmap; } - tss = init_tss + get_cpu(); - if (bitmap) - tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */ - /* * do it in the per-thread copy and in the TSS ... */ set_bitmap(t->ts_io_bitmap, from, num, !turn_on); - set_bitmap(tss->io_bitmap, from, num, !turn_on); + tss = init_tss + get_cpu(); + if (tss->bitmap == IO_BITMAP_OFFSET) { /* already active? */ + set_bitmap(tss->io_bitmap, from, num, !turn_on); + } else { + memcpy(tss->io_bitmap, t->ts_io_bitmap, IO_BITMAP_BYTES); + tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */ + } put_cpu(); out: return ret;
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu May 15 2003 - 22:00:39 EST