A potential local denial of service vulnerability has been discovered in the 2.6 Linux kernel.
9160d54bd32d01d0a574a5324c13002615defe8696ee7cb665c59ccf6a92be60
<!-- MHonArc v2.6.6 -->
<!--X-Subject: Bug in IO bitmap handling? Probably exploitable (2.6.5) -->
<!--X-From-R13: Egnf Eretrri <fgfcNnxarg.eh> -->
<!--X-Date: Fri, 7 May 2004 10:11:51 -0500 (EST) -->
<!--X-Message-Id: 409BA6B1.7030809@aknet.ru -->
<!--X-Content-Type: multipart/mixed -->
<!--X-Head-End-->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"
"https://www.w3.org/TR/REC-html40/loose.dtd">
<html>
<head>
<meta HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-2">
<title>Linux-Kernel Archive: Bug in IO bitmap handling? Probably exploitable (2.6.5)</title>
<meta NAME="Author" CONTENT="Stas Sergeev <stsp@aknet.ru>">
<meta NAME="Subject" CONTENT="Bug in IO bitmap handling? Probably exploitable (2.6.5)">
</head>
<body BGCOLOR="#FFFFFF" TEXT="#000000">
<!--X-Body-Begin-->
<!--X-User-Header-->
<!--X-User-Header-End-->
<!--X-TopPNI-->
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
<h1>Bug in IO bitmap handling? Probably exploitable (2.6.5)</h1>
<strong>From: </strong>Stas Sergeev
<br><strong>Date: </strong> Fri May 07 2004 - 10:11:51 EST
<p>
<ul>
<li><strong>Next message: </strong> <a href="1243.html"> Dave Jones: "Re: 2.6.6-rc3-mm2 (4KSTACK)"</a>
<li><strong>Previous message: </strong> <a href="1241.html"> Daniele Venzano: "Re: [PATCH] sis900 fix (Was: [CHECKER] Resource leaks in driver shutdown functions)"</a>
<li><strong>Next in thread: </strong> <a href="1265.html"> Linus Torvalds: "Re: Bug in IO bitmap handling? Probably exploitable (2.6.5)"</a>
<li><strong>Messages sorted by: </strong><a href="date.html#1242">[ date ]</a> <a href="index.html#1242">[ thread ]</a> <a href="subject.html#1242">[ subject ]</a> <a href="author.html#1242">[ author ]</a>
</ul>
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<hr NOSHADE>
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
<br>Hello.<br>
<br>
The attached is the small program that<br>
tries to write 0x20 to port 0x20.<br>
Normally this should cause SIGSEGV, so<br>
the program should crash.<br>
I think there is a bug in the 2.6<br>
kernels though, which makes it to not<br>
crash if some trivial conditions are<br>
met. Basically it seems that if any process<br>
that obtained an IO access permissions<br>
via ioperm(), exits without explicitly<br>
"dropping" that permissions, the IO<br>
permissions gets "inherited" by all<br>
other processes in the system.<br>
The cause seems to be that exit_thread()<br>
only invalidates the per-thread io_bitmap<br>
pointer, but doesn't invalidate the<br>
per-TSS io_bitmap pointer as well. As the<br>
per-thread pointer is invalidated,<br>
__switch_to() doesn't take care of that<br>
one either, so the per-TSS pointer stays<br>
valid as long as some other process<br>
does ioperm().<br>
Here it is sufficient to start an X server<br>
and exit it, and then the program that<br>
is attached, will not get a SIGSEGV any<br>
more, actually successing with the port<br>
write.<br>
I am also attaching the patch that seems<br>
like fixing the problem - it invalidates<br>
also the per-TSS io_bitmap pointer and<br>
the problem goes away.<br>
<br>
Can someone please confirm (or refute)<br>
the presense of the bug there? Because<br>
if it is really a bug, I suppose it can<br>
be exploited, if not for getting root,<br>
then at least to deadlock the machine.<br>
<br>
#include <stdio.h><br>
#include <asm/io.h><br>
<br>
int main()<br>
{<br>
outb(0x20, 0x20);<br>
printf("Fine, I am alive!\n");<br>
return 0;<br>
}<br>
<br>
--- linux/arch/i386/kernel/process.c 2004-04-14 09:41:14.000000000 +0400<br>
+++ linux/arch/i386/kernel/process.c 2004-05-07 14:54:13.000000000 +0400<br>
@@ -293,8 +293,11 @@<br>
<br>
/* The process may have allocated an io port bitmap... nuke it. */<br>
if (unlikely(NULL != tsk->thread.io_bitmap_ptr)) {<br>
+ int cpu = smp_processor_id();<br>
+ struct tss_struct *tss = init_tss + cpu;<br>
kfree(tsk->thread.io_bitmap_ptr);<br>
tsk->thread.io_bitmap_ptr = NULL;<br>
+ tss->io_bitmap_base = INVALID_IO_BITMAP_OFFSET;<br>
}<br>
}<br>
<br>
<br>
Scanned by evaluation version of Dr.Web antivirus Daemon <br>
<a href="https://drweb.ru/unix/">https://drweb.ru/unix/</a><br>
<br>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr NOSHADE>
</ul></li></ul>
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li><strong>Next message: </strong> <a href="1243.html"> Dave Jones: "Re: 2.6.6-rc3-mm2 (4KSTACK)"</a>
<li><strong>Previous message: </strong> <a href="1241.html"> Daniele Venzano: "Re: [PATCH] sis900 fix (Was: [CHECKER] Resource leaks in driver shutdown functions)"</a>
<li><strong>Next in thread: </strong> <a href="1265.html"> Linus Torvalds: "Re: Bug in IO bitmap handling? Probably exploitable (2.6.5)"</a>
<li><strong>Messages sorted by: </strong><a href="date.html#1242">[ date ]</a> <a href="index.html#1242">[ thread ]</a> <a href="subject.html#1242">[ subject ]</a> <a href="author.html#1242">[ author ]</a>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>