Kernel: Don't allow modifying IOPL via sys$ptrace() or sys$sigreturn()

It was possible to overwrite the entire EFLAGS register since we didn't do any masking in the ptrace and sigreturn syscalls. This made it trivial to gain IO privileges by raising IOPL to 3 and then you could talk to hardware to do all kinds of nasty things. Thanks to @allesctf for finding these issues! :^) Their exploit/write-up: https://github.com/allesctf/writeups/blob/master/2020/hxpctf/wisdom2/writeup.md
2025-05-31 14:48:14 +00:00 · 2020-12-22 18:23:34 +01:00 · 2020-12-22 18:23:34 +01:00 · 6bfbc5f5f5
commit 6bfbc5f5f5
parent b452dd13b6
4 changed files with 13 additions and 2 deletions
--- a/Kernel/Ptrace.cpp
+++ b/Kernel/Ptrace.cpp
@ -183,7 +183,8 @@ void copy_ptrace_registers_into_kernel_registers(RegisterState& kernel_regs, con
    kernel_regs.esi = ptrace_regs.esi;
    kernel_regs.edi = ptrace_regs.edi;
    kernel_regs.eip = ptrace_regs.eip;
-    kernel_regs.eflags = ptrace_regs.eflags;
+
+    kernel_regs.eflags = (kernel_regs.eflags & ~safe_eflags_mask) | (ptrace_regs.eflags & safe_eflags_mask);
 }

 }