Subject: Re: aperture driver?
To: None <matthieu@laas.fr>
From: Chris G. Demetriou <cgd@pa.dec.com>
List: port-i386
Date: 07/01/1998 09:16:37
> I'm really not smart enough to find out. Can you show me how to
> make use of the aperture driver to lower the securelevel or to perform 
> tasks normally forbidden when securelevel = 1 ?

It allows access to space outside of memory, that would normally not
be allowed for root.

That means that a smart enough hacker -- and "smart enough" doesn't
have to be _that_ smart; remember, we've got full driver sources
available -- can use it to clobber devices and/or use them to
circumvent the normal system security.  It won't necessarily be
possible on all machines, but certainly on most.

Further than that I will not tell you, but if you're at all familiar
with hardware it shouldn't be that hard to figure out.

Similar holes are possible via the iopl mechanism, and you'll note
that:

int
i386_iopl(p, args, retval)
        struct proc *p;
        char *args;
        register_t *retval;
{
        int error;
        struct trapframe *tf = p->p_md.md_regs;
        struct i386_iopl_args ua;

        if (securelevel > 1)
                return EPERM;

That's actually bogus; it should be > 0.



cgd