RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-31 13:38:11 +00:00
Code Issues Activity Actions

Kernel: Don't allow modifying IOPL via sys$ptrace() or sys$sigreturn()

Browse source 
It was possible to overwrite the entire EFLAGS register since we didn't
do any masking in the ptrace and sigreturn syscalls.

This made it trivial to gain IO privileges by raising IOPL to 3 and
then you could talk to hardware to do all kinds of nasty things.

Thanks to @allesctf for finding these issues! :^)

Their exploit/write-up: https://github.com/allesctf/writeups/blob/master/2020/hxpctf/wisdom2/writeup.md
This commit is contained in:
Andreas Kling 2020-12-22 18:23:34 +01:00
parent b452dd13b6
commit 6bfbc5f5f5
4 changed files with 13 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Kernel/Syscall.cpp
View file

@ -161,6 +161,14 @@ void syscall_handler(TrapFrame* trap)
asm volatile(""
: "=m"(*ptr));
static constexpr u32 iopl_mask = 3u << 12;
if ((regs.eflags & (iopl_mask)) != 0) {
dbgln("Syscall from process with IOPL != 0");
handle_crash(regs, "Non-zero IOPL on syscall entry", SIGSEGV);
ASSERT_NOT_REACHED();
}
if (!MM.validate_user_stack(process, VirtualAddress(regs.userspace_esp))) {
dbgln("Invalid stack pointer: {:p}", regs.userspace_esp);
handle_crash(regs, "Bad stack on syscall entry", SIGSTKFLT);