--=_courier-18568-1052743208-0001-2
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Martin J. Bligh wrote:
> http://bugme.osdl.org/show_bug.cgi?id=703
>
> Summary: Security vulnerability in "ioperm" system call
> Kernel Version: 2.5.69
> Status: NEW
> Severity: low
> Owner: mbligh@aracnet.com
> Submitter: dave_matthew@yahoo.com
>
>
> Problem Description:
> The "ioperm" system call allows an unprivileged user to gain read and write
> access to I/O ports on the system. When used by a privileged process, the
> "ioperm" system call also fails to properly restrict privileges.
This patch makes sure that the ioperm bitmap in the TSS is correctly set
up during the first ioperm() call. Without this the TSS bitmap contains
random garbage until the next context switch.
-- Brian Gerst--=_courier-18568-1052743208-0001-2 Content-Type: text/plain; name=iobitmap-1; charset=iso-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="iobitmap-1"
diff -urN linux-2.5.64-bk5/arch/i386/kernel/ioport.c linux/arch/i386/kernel/ioport.c --- linux-2.5.64-bk5/arch/i386/kernel/ioport.c 2003-02-24 14:59:03.000000000 -0500 +++ linux/arch/i386/kernel/ioport.c 2003-03-14 10:19:48.000000000 -0500 @@ -84,15 +84,17 @@ t->ts_io_bitmap = bitmap; } - tss = init_tss + get_cpu(); - if (bitmap) - tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */ - /* * do it in the per-thread copy and in the TSS ... */ set_bitmap(t->ts_io_bitmap, from, num, !turn_on); - set_bitmap(tss->io_bitmap, from, num, !turn_on); + tss = init_tss + get_cpu(); + if (tss->bitmap == IO_BITMAP_OFFSET) { /* already active? */ + set_bitmap(tss->io_bitmap, from, num, !turn_on); + } else { + memcpy(tss->io_bitmap, t->ts_io_bitmap, IO_BITMAP_BYTES); + tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */ + } put_cpu(); out: return ret;
--=_courier-18568-1052743208-0001-2--