Kernel: Don't allow modifying IOPL via sys$ptrace() or sys$sigreturn()

It was possible to overwrite the entire EFLAGS register since we didn't do any masking in the ptrace and sigreturn syscalls. This made it trivial to gain IO privileges by raising IOPL to 3 and then you could talk to hardware to do all kinds of nasty things. Thanks to @allesctf for finding these issues! :^) Their exploit/write-up: https://github.com/allesctf/writeups/blob/master/2020/hxpctf/wisdom2/writeup.md
author: Andreas Kling <kling@serenityos.org> 2020-12-22 18:23:34 +0100
committer: Andreas Kling <kling@serenityos.org> 2020-12-22 19:38:25 +0100
commit: 6bfbc5f5f543a399de8d478216ecfde471f9b4c7 (patch)
tree: 2aa0f3a279a7a35e0a76205058ed40614e321382 /Kernel/Arch
parent: b452dd13b6d093b29acf0668fd8e91fd18514a74 (diff)
download: serenity-6bfbc5f5f543a399de8d478216ecfde471f9b4c7.zip
1 files changed, 2 insertions, 0 deletions
diff --git a/Kernel/Arch/i386/CPU.h b/Kernel/Arch/i386/CPU.h
index c4d736dc15..39168b3be7 100644
--- a/Kernel/Arch/i386/CPU.h
+++ b/Kernel/Arch/i386/CPU.h
@@ -43,6 +43,8 @@ class MemoryManager;
 class PageDirectory;
 class PageTableEntry;
 
+static constexpr u32 safe_eflags_mask = 0xdff;
+
 struct [[gnu::packed]] DescriptorTablePointer
 {
     u16 limit;
author	Andreas Kling <kling@serenityos.org>	2020-12-22 18:23:34 +0100
committer	Andreas Kling <kling@serenityos.org>	2020-12-22 19:38:25 +0100
commit	6bfbc5f5f543a399de8d478216ecfde471f9b4c7 (patch)
tree	2aa0f3a279a7a35e0a76205058ed40614e321382 /Kernel/Arch
parent	b452dd13b6d093b29acf0668fd8e91fd18514a74 (diff)
download	serenity-6bfbc5f5f543a399de8d478216ecfde471f9b4c7.zip