[EROS-Arch] EROS security bug
Jonathan S. Shapiro
shap@cs.jhu.edu
Mon, 12 Mar 2001 08:48:44 -0500
Charlie:
This is actually a bug in Process::ValidateRegValues() at
http://www.eros-os.org/eros-src/sys/arch/i486/kernel/UserContext.cxx#513
I would be interested to know if the fault code is getting set there.
Certainly, this process should never have made it as far as IntTrap.cxx
with an invalid CS or SS values.
There is a difficult problem hiding here. The ideal thing to do would be
to drop support dfor segment registers altogether, but this would
preclude (e.g.) windows emulation later. The next best thing is to
sanity check the values, which is what ValidateRegValues() is supposedly
doing.
Can you see if the fault code is getting set in ValidateRegValues(), and
why it is not causing a process fault?
The reason to expose that slot is to have a common mechanism for certain
process updates. My general take is that it's a better policy to check
the values than to restrict the changes, but I'm certainly prepared to
re-examine this -- particularly now that most of the per-process
operations are done through machine-dependent process code anyway.
Thanks
Jonathan
Charles Landau wrote:
>
> OC_Process_Swap(ProcPCandSP) allows you to write any value to the CS and
> SS registers, including any Current Privilege Level. tests/func/memmap
> is a new test that crashes at
> http://www.eros-os.org/eros-src/sys/arch/i486/kernel/IntTrap.cxx#188 as
> a result.
>
> Jonathan, I don't know what your preference would be to fix this. I know
> you wanted to keep the ProcPCandSP slot exposed for some reason. It
> would be simple enough to force the CS and SS to safe values. It would
> also be simple to disallow writing to this slot and force the user to
> use OC_SetRegs32 to write the PC and SP.
>
> _______________________________________________
> eros-arch mailing list
> eros-arch@mail.eros-os.org
> http://www.eros-os.org/mailman/listinfo/eros-arch