From guido@gvr.win.tue.nl Sat Aug 7 06:58:04 1993

I posted some patches on the 386bsd_patchkit list to prohibit io access. Because of a noninitialised filed in the tss, this was possible. It is included below as the patch to machdep.c However, when you do this *necessary* fix (security), it will be impossible form within user space to do io. therefor, I included another fix: when you open /dev/io, you get the access. Of course you can rewrite it to use another minor and thus giving access to the iospace when /dev/mem is opened, e.g. NOTE: The /dev/io entry has not been added to /dev/MAKEDEV yet. The patch is in NetBSD.
1993-08-09 06:16:42 +00:00 · 1993-08-09 06:16:42 +00:00 · 78d172cab6
commit 78d172cab6
parent 2e38124735
5 changed files with 91 additions and 7 deletions
--- a/sys/amd64/amd64/machdep.c
+++ b/sys/amd64/amd64/machdep.c
@ -49,7 +49,7 @@
 * 20 Apr 93	Bruce Evans		New npx-0.5 code
 * 25 Apr 93	Bruce Evans		New intr-0.1 code
 */
-static char rcsid[] = "$Header: /a/cvs/386BSD/src/sys/i386/i386/machdep.c,v 1.4 1993/07/16 23:55:07 davidg Exp $";
+static char rcsid[] = "$Header: /freefall/a/cvs/386BSD/src/sys/i386/i386/machdep.c,v 1.5 1993/07/27 10:52:17 davidg Exp $";


 #include <stddef.h>
@ -1008,6 +1008,10 @@ init386(first)
 	proc0.p_addr->u_pcb.pcb_tss.tss_esp0 = (int) kstack + UPAGES*NBPG;
 	proc0.p_addr->u_pcb.pcb_tss.tss_ss0 = GSEL(GDATA_SEL, SEL_KPL) ;
 	_gsel_tss = GSEL(GPROC0_SEL, SEL_KPL);
+
+	((struct i386tss *)gdt_segs[GPROC0_SEL].ssd_base)->tss_ioopt = 
+		(sizeof(tss))<<16;
+
 	ltr(_gsel_tss);

 	/* make a call gate to reenter kernel with */
--- a/sys/amd64/amd64/mem.c
+++ b/sys/amd64/amd64/mem.c
@ -50,8 +50,10 @@
 #include "systm.h"
 #include "uio.h"
 #include "malloc.h"
+#include "proc.h"

 #include "machine/cpu.h"
+#include "machine/psl.h"

 #include "vm/vm_param.h"
 #include "vm/lock.h"
@ -61,6 +63,42 @@

 extern        char *vmmap;            /* poor name! */
 /*ARGSUSED*/
+mmclose(dev, uio, flags)
+	dev_t dev;
+	struct uio *uio;
+	int flags;
+{
+	struct syscframe *fp;
+
+	switch (minor(dev)) {
+	case 14:
+		fp = (struct syscframe *)curproc->p_regs;
+		fp->sf_eflags &= ~PSL_IOPL;
+		break;
+	default:
+		break;
+	}
+	return(0);
+}
+/*ARGSUSED*/
+mmopen(dev, uio, flags)
+	dev_t dev;
+	struct uio *uio;
+	int flags;
+{
+	struct syscframe *fp;
+
+	switch (minor(dev)) {
+	case 14:
+		fp = (struct syscframe *)curproc->p_regs;
+		fp->sf_eflags |= PSL_IOPL;
+		break;
+	default:
+		break;
+	}
+	return(0);
+}
+/*ARGSUSED*/
 mmrw(dev, uio, flags)
 	dev_t dev;
 	struct uio *uio;
--- a/sys/i386/i386/conf.c
+++ b/sys/i386/i386/conf.c
@ -56,7 +56,7 @@
 * 28 Jul 93	Jordan K. Hubbard	Free codrv's slot again
 *
 */
-static char rcsid[] = "$Header: /a/cvs/386BSD/src/sys/i386/i386/conf.c,v 1.1.1.1 1993/06/12 14:58:07 rgrimes Exp $";
+static char rcsid[] = "$Header: /freefall/a/cvs/386BSD/src/sys/i386/i386/conf.c,v 1.2 1993/07/30 00:57:06 jkh Exp $";

 #include "param.h"
 #include "systm.h"
@ -213,7 +213,7 @@ extern	struct tty pccons;

 int	cttyopen(), cttyread(), cttywrite(), cttyioctl(), cttyselect();

-int 	mmrw();
+int 	mmopen(), mmclose(), mmrw();
 #define	mmselect	seltrue

 #include "pty.h"
@ -359,9 +359,9 @@ struct cdevsw	cdevsw[] =
 	{ cttyopen,	nullop,		cttyread,	cttywrite,	/*1*/
 	  cttyioctl,	nullop,		nullop,		NULL,	/* tty */
 	  cttyselect,	enodev,		NULL },
-        { nullop,       nullop,         mmrw,           mmrw,           /*2*/
-          enodev,       nullop,         nullop,         NULL,	/* memory */
-          mmselect,     enodev,         NULL },
+	{ mmopen,	mmclose,	mmrw,		mmrw,		/*2*/
+	  enodev,	nullop,		nullop,		NULL,	/* memory */
+	  mmselect,	enodev,		NULL },
 	{ wdopen,	wdclose,	rawread,	rawwrite,	/*3*/
 	  wdioctl,	enodev,		nullop,		NULL,	/* wd */
 	  seltrue,	enodev,		wdstrategy },
--- a/sys/i386/i386/machdep.c
+++ b/sys/i386/i386/machdep.c
@ -49,7 +49,7 @@
 * 20 Apr 93	Bruce Evans		New npx-0.5 code
 * 25 Apr 93	Bruce Evans		New intr-0.1 code
 */
-static char rcsid[] = "$Header: /a/cvs/386BSD/src/sys/i386/i386/machdep.c,v 1.4 1993/07/16 23:55:07 davidg Exp $";
+static char rcsid[] = "$Header: /freefall/a/cvs/386BSD/src/sys/i386/i386/machdep.c,v 1.5 1993/07/27 10:52:17 davidg Exp $";


 #include <stddef.h>
@ -1008,6 +1008,10 @@ init386(first)
 	proc0.p_addr->u_pcb.pcb_tss.tss_esp0 = (int) kstack + UPAGES*NBPG;
 	proc0.p_addr->u_pcb.pcb_tss.tss_ss0 = GSEL(GDATA_SEL, SEL_KPL) ;
 	_gsel_tss = GSEL(GPROC0_SEL, SEL_KPL);
+
+	((struct i386tss *)gdt_segs[GPROC0_SEL].ssd_base)->tss_ioopt = 
+		(sizeof(tss))<<16;
+
 	ltr(_gsel_tss);

 	/* make a call gate to reenter kernel with */
--- a/sys/i386/i386/mem.c
+++ b/sys/i386/i386/mem.c
@ -50,8 +50,10 @@
 #include "systm.h"
 #include "uio.h"
 #include "malloc.h"
+#include "proc.h"

 #include "machine/cpu.h"
+#include "machine/psl.h"

 #include "vm/vm_param.h"
 #include "vm/lock.h"
@ -61,6 +63,42 @@

 extern        char *vmmap;            /* poor name! */
 /*ARGSUSED*/
+mmclose(dev, uio, flags)
+	dev_t dev;
+	struct uio *uio;
+	int flags;
+{
+	struct syscframe *fp;
+
+	switch (minor(dev)) {
+	case 14:
+		fp = (struct syscframe *)curproc->p_regs;
+		fp->sf_eflags &= ~PSL_IOPL;
+		break;
+	default:
+		break;
+	}
+	return(0);
+}
+/*ARGSUSED*/
+mmopen(dev, uio, flags)
+	dev_t dev;
+	struct uio *uio;
+	int flags;
+{
+	struct syscframe *fp;
+
+	switch (minor(dev)) {
+	case 14:
+		fp = (struct syscframe *)curproc->p_regs;
+		fp->sf_eflags |= PSL_IOPL;
+		break;
+	default:
+		break;
+	}
+	return(0);
+}
+/*ARGSUSED*/
 mmrw(dev, uio, flags)
 	dev_t dev;
 	struct uio *uio;