Kernel: Panic if we're about to switch to a user thread with IOPL!=0

This is a crude protection against IOPL elevation attacks. If for any reason we find ourselves about to switch to a user mode thread with IOPL != 0, we'll now simply panic the kernel. If this happens, it basically means that something tricked the kernel into incorrectly modifying the IOPL of a thread, so it's no longer safe to trust the kernel anyway.
author: Andreas Kling <kling@serenityos.org> 2020-12-23 14:18:13 +0100
committer: Andreas Kling <kling@serenityos.org> 2020-12-23 14:30:10 +0100
commit: c25cf5fb5680389dadadd98fae19bcd7d96386ca (patch)
tree: 62e482a73f5ee5764005c2c96f6ed0b3ad1635fd /Kernel/Arch/i386
parent: 488a613858cb3ad279f9d3ff79000579c1314c03 (diff)
download: serenity-c25cf5fb5680389dadadd98fae19bcd7d96386ca.zip
1 files changed, 6 insertions, 0 deletions
diff --git a/Kernel/Arch/i386/CPU.h b/Kernel/Arch/i386/CPU.h
index 39168b3be7..c5883caa51 100644
--- a/Kernel/Arch/i386/CPU.h
+++ b/Kernel/Arch/i386/CPU.h
@@ -44,6 +44,12 @@ class PageDirectory;
 class PageTableEntry;
 
 static constexpr u32 safe_eflags_mask = 0xdff;
+static constexpr u32 iopl_mask = 3u << 12;
+
+inline u32 get_iopl_from_eflags(u32 eflags)
+{
+    return (eflags & iopl_mask) >> 12;
+}
 
 struct [[gnu::packed]] DescriptorTablePointer
 {
author	Andreas Kling <kling@serenityos.org>	2020-12-23 14:18:13 +0100
committer	Andreas Kling <kling@serenityos.org>	2020-12-23 14:30:10 +0100
commit	c25cf5fb5680389dadadd98fae19bcd7d96386ca (patch)
tree	62e482a73f5ee5764005c2c96f6ed0b3ad1635fd /Kernel/Arch/i386
parent	488a613858cb3ad279f9d3ff79000579c1314c03 (diff)
download	serenity-c25cf5fb5680389dadadd98fae19bcd7d96386ca.zip