port-i386: Re: aperture driver?

Subject: Re: aperture driver?
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
From: Chris G. Demetriou <cgd@pa.dec.com>
List: port-i386
Date: 07/01/1998 09:35:24
> Well, it should be really easy: the aperture driver allows writing to the
> memory.

False.

It specifically checks:

    if  ((minor(dev) == 0) 
         && ((offset >= VGA_START && offset <= VGA_END )
             || (unsigned)offset > (unsigned)ctob(physmem)
#ifdef PC98
             || ((unsigned)offset >=HOLE16M_START
                   && (unsigned)offset <= HOLE16M_END)
#endif
             )) {
        return i386_btop(offset);
    } else {
        return(-1);
    }

To _avoid_ allowing access to real memory.

(Whether or not you can access real memory outside of 0 -> end of real
memory is a different question, relating to address decoding and
wrapping, which probably can't be guaranteed on all PCs, but still i'm
assuming that on modern PCs, <after end of real memory> but not in
device memory> will get you a hardware fault or 'nothing'.)


> So if you can find the physical address of the '_securelevel' variable, you
> can write another value here and it's done. 'nm /netbsd' will give you the
> virtual address, translating to physical address should be easy for someone
> which knows about the VM system. Another way to do this is to locate the
> virtal adress of a well-know string (e.g _copyrigth) and locate it
> in /dev/mem.

This is the basic technique, but it involves a bit more work.  (you
need to poke at devices; non-trivial, but hey, we provide source. 8-)

The same is possible via careful manipulation of I/O ports.
(Unfortunately, it looks like there's a bug in the code which
disallows them in secure mode, so that they're only disallowed in
'very secure' mode.)

In general, this is the type of thing that's non-trivial (but not hard
for a skilled cracker), but once it's done once an exploit will be out
there for less-skilled people to use.


> Fixing the aperture driver may be hard. I think this would require some
> interraction with the VM system (and/or possibly the PMAP) to have a list
> of physical "real memory" pages and dissalow accesses to these addresses.

Wrong technique.  Fixing the aperture driver is best done by making it
go away.

Have the drivers export regions where the hardware lives, and give
XF86 access to those regions.  Have it access only those regions.

In some cases, e.g. systems with ISA or ISA-like video cards, or EISA
video cards, you lose and need 'insecure' if you want to run X
quickly.  "bummer, the PC architecture sucks."



cgd