CVS commit: src/sys/arch

["Maxime Villard" <maxv%netbsd.org@localhost>]

Module Name:    src
Committed By:   maxv
Date:           Sun Dec 31 08:29:38 UTC 2017

Modified Files:
        src/sys/arch/amd64/amd64: machdep.c
        src/sys/arch/amd64/include: segments.h
        src/sys/arch/i386/i386: machdep.c
        src/sys/arch/i386/include: segments.h
        src/sys/arch/x86/x86: vm_machdep.c

Log Message:
Fix a huge privilege separation vulnerability in Xen-amd64.

On amd64 the kernel runs in ring3, like userland, and therefore SEL_KPL
equals SEL_UPL. While Xen can make a distinction between usermode and
kernelmode in %cs, it can't when it comes to iopl. Since we set SEL_KPL
in iopl, Xen sees SEL_UPL, and allows (unprivileged) userland processes
to read and write to the CPU ports.

It is easy, then, to completely escalate privileges; by reprogramming the
PIC, by reading the ATA disks, by intercepting the keyboard interrupts
(keylogger), etc.

Declare IOPL_KPL, set to 1 on Xen-amd64, which allows the kernel to use
the ports but not userland. I didn't test this change on i386, but it
seems fine enough.


To generate a diff of this commit:
cvs rdiff -u -r1.279 -r1.280 src/sys/arch/amd64/amd64/machdep.c
cvs rdiff -u -r1.33 -r1.34 src/sys/arch/amd64/include/segments.h
cvs rdiff -u -r1.799 -r1.800 src/sys/arch/i386/i386/machdep.c
cvs rdiff -u -r1.63 -r1.64 src/sys/arch/i386/include/segments.h
cvs rdiff -u -r1.29 -r1.30 src/sys/arch/x86/x86/vm_machdep.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.