Module Name: src Committed By: snj Date: Mon Feb 19 20:54:38 UTC 2018
Modified Files: src/sys/arch/amd64/amd64 [netbsd-6]: machdep.c src/sys/arch/amd64/include [netbsd-6]: segments.h src/sys/arch/i386/i386 [netbsd-6]: machdep.c src/sys/arch/i386/include [netbsd-6]: segments.h src/sys/arch/x86/x86 [netbsd-6]: vm_machdep.c Log Message: Pull up following revision(s) (requested by maxv in ticket #1517): sys/arch/amd64/amd64/machdep.c: 1.280 via patch sys/arch/amd64/include/segments.h: 1.34 via patch sys/arch/i386/i386/machdep.c: 1.800 sys/arch/i386/include/segments.h: 1.64 sys/arch/x86/x86/vm_machdep.c: 1.30 Fix a huge privilege separation vulnerability in Xen-amd64. On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL equals SEL_UPL. While Xen can make a distinction between usermode and kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes to read and write to the CPU ports. It is easy, then, to completely escalate privileges; by reprogramming the PIC, by reading the ATA disks, by intercepting the keyboard interrupts (keylogger), etc. Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use the ports but not userland. I didn't test this change on i386, but it seems fine enough. To generate a diff of this commit: cvs rdiff -u -r220.127.116.11 -r18.104.22.168 src/sys/arch/amd64/amd64/machdep.c cvs rdiff -u -r1.22 -r22.214.171.124 src/sys/arch/amd64/include/segments.h cvs rdiff -u -r1.717.2.8 -r1.717.2.9 src/sys/arch/i386/i386/machdep.c cvs rdiff -u -r1.54 -r126.96.36.199 src/sys/arch/i386/include/segments.h cvs rdiff -u -r1.14 -r188.8.131.52 src/sys/arch/x86/x86/vm_machdep.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.