RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-05-16 20:05:07 +00:00
Code Issues Activity Actions

Kernel: Panic if we're about to switch to a user thread with IOPL!=0

Browse source 
This is a crude protection against IOPL elevation attacks. If for
any reason we find ourselves about to switch to a user mode thread
with IOPL != 0, we'll now simply panic the kernel.

If this happens, it basically means that something tricked the kernel
into incorrectly modifying the IOPL of a thread, so it's no longer
safe to trust the kernel anyway.
This commit is contained in:
Andreas Kling 2020-12-23 14:18:13 +01:00
parent 488a613858
commit c25cf5fb56
2 changed files with 14 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
Kernel/Scheduler.cpp
View file

@ -356,6 +356,14 @@ bool Scheduler::context_switch(Thread* thread)
enter_current(*from_thread, false);
ASSERT(thread == Thread::current());
#if ARCH(I386)
auto iopl = get_iopl_from_eflags(Thread::current()->get_register_dump_from_stack().eflags);
if (thread->process().is_user_process() && iopl != 0) {
dbgln("PANIC: Switched to thread {} with non-zero IOPL={}", Thread::current()->tid().value(), iopl);
Processor::halt();
}
#endif
return true;
}