1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
|
// SPDX-License-Identifier: GPL-2.0
/*
* This contains the io-permission bitmap code - written by obz, with changes
* by Linus. 32/64 bits code unification by Miguel Botón.
*/
#include <linux/capability.h>
#include <linux/security.h>
#include <linux/syscalls.h>
#include <linux/bitmap.h>
#include <linux/ioport.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <asm/io_bitmap.h>
#include <asm/desc.h>
static atomic64_t io_bitmap_sequence;
void io_bitmap_share(struct task_struct *tsk)
{
/* Can be NULL when current->thread.iopl_emul == 3 */
if (current->thread.io_bitmap) {
/*
* Take a refcount on current's bitmap. It can be used by
* both tasks as long as none of them changes the bitmap.
*/
refcount_inc(¤t->thread.io_bitmap->refcnt);
tsk->thread.io_bitmap = current->thread.io_bitmap;
}
set_tsk_thread_flag(tsk, TIF_IO_BITMAP);
}
static void task_update_io_bitmap(void)
{
struct thread_struct *t = ¤t->thread;
if (t->iopl_emul == 3 || t->io_bitmap) {
/* TSS update is handled on exit to user space */
set_thread_flag(TIF_IO_BITMAP);
} else {
clear_thread_flag(TIF_IO_BITMAP);
/* Invalidate TSS */
preempt_disable();
tss_update_io_bitmap();
preempt_enable();
}
}
void io_bitmap_exit(void)
{
struct io_bitmap *iobm = current->thread.io_bitmap;
current->thread.io_bitmap = NULL;
task_update_io_bitmap();
if (iobm && refcount_dec_and_test(&iobm->refcnt))
kfree(iobm);
}
/*
* This changes the io permissions bitmap in the current task.
*/
long ksys_ioperm(unsigned long from, unsigned long num, int turn_on)
{
struct thread_struct *t = ¤t->thread;
unsigned int i, max_long;
struct io_bitmap *iobm;
if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
return -EINVAL;
if (turn_on && (!capable(CAP_SYS_RAWIO) ||
security_locked_down(LOCKDOWN_IOPORT)))
return -EPERM;
/*
* If it's the first ioperm() call in this thread's lifetime, set the
* IO bitmap up. ioperm() is much less timing critical than clone(),
* this is why we delay this operation until now:
*/
iobm = t->io_bitmap;
if (!iobm) {
/* No point to allocate a bitmap just to clear permissions */
if (!turn_on)
return 0;
iobm = kmalloc(sizeof(*iobm), GFP_KERNEL);
if (!iobm)
return -ENOMEM;
memset(iobm->bitmap, 0xff, sizeof(iobm->bitmap));
refcount_set(&iobm->refcnt, 1);
}
/*
* If the bitmap is not shared, then nothing can take a refcount as
* current can obviously not fork at the same time. If it's shared
* duplicate it and drop the refcount on the original one.
*/
if (refcount_read(&iobm->refcnt) > 1) {
iobm = kmemdup(iobm, sizeof(*iobm), GFP_KERNEL);
if (!iobm)
return -ENOMEM;
refcount_set(&iobm->refcnt, 1);
io_bitmap_exit();
}
/*
* Store the bitmap pointer (might be the same if the task already
* head one). Must be done here so freeing the bitmap when all
* permissions are dropped has the pointer set up.
*/
t->io_bitmap = iobm;
/* Mark it active for context switching and exit to user mode */
set_thread_flag(TIF_IO_BITMAP);
/*
* Update the tasks bitmap. The update of the TSS bitmap happens on
* exit to user mode. So this needs no protection.
*/
if (turn_on)
bitmap_clear(iobm->bitmap, from, num);
else
bitmap_set(iobm->bitmap, from, num);
/*
* Search for a (possibly new) maximum. This is simple and stupid,
* to keep it obviously correct:
*/
max_long = UINT_MAX;
for (i = 0; i < IO_BITMAP_LONGS; i++) {
if (iobm->bitmap[i] != ~0UL)
max_long = i;
}
/* All permissions dropped? */
if (max_long == UINT_MAX) {
io_bitmap_exit();
return 0;
}
iobm->max = (max_long + 1) * sizeof(unsigned long);
/*
* Update the sequence number to force a TSS update on return to
* user mode.
*/
iobm->sequence = atomic64_add_return(1, &io_bitmap_sequence);
return 0;
}
SYSCALL_DEFINE3(ioperm, unsigned long, from, unsigned long, num, int, turn_on)
{
return ksys_ioperm(from, num, turn_on);
}
/*
* The sys_iopl functionality depends on the level argument, which if
* granted for the task is used by the CPU to check I/O instruction and
* CLI/STI against the current priviledge level (CPL). If CPL is less than
* or equal the tasks IOPL level the instructions take effect. If not a #GP
* is raised. The default IOPL is 0, i.e. no permissions.
*
* Setting IOPL to level 0-2 is disabling the userspace access. Only level
* 3 enables it. If set it allows the user space thread:
*
* - Unrestricted access to all 65535 I/O ports
* - The usage of CLI/STI instructions
*
* The advantage over ioperm is that the context switch does not require to
* update the I/O bitmap which is especially true when a large number of
* ports is accessed. But the allowance of CLI/STI in userspace is
* considered a major problem.
*
* IOPL is strictly per thread and inherited on fork.
*/
SYSCALL_DEFINE1(iopl, unsigned int, level)
{
struct thread_struct *t = ¤t->thread;
struct pt_regs *regs = current_pt_regs();
unsigned int old;
/*
* Careful: the IOPL bits in regs->flags are undefined under Xen PV
* and changing them has no effect.
*/
if (IS_ENABLED(CONFIG_X86_IOPL_NONE))
return -ENOSYS;
if (level > 3)
return -EINVAL;
if (IS_ENABLED(CONFIG_X86_IOPL_EMULATION))
old = t->iopl_emul;
else
old = t->iopl >> X86_EFLAGS_IOPL_BIT;
/* No point in going further if nothing changes */
if (level == old)
return 0;
/* Trying to gain more privileges? */
if (level > old) {
if (!capable(CAP_SYS_RAWIO) ||
security_locked_down(LOCKDOWN_IOPORT))
return -EPERM;
}
if (IS_ENABLED(CONFIG_X86_IOPL_EMULATION)) {
t->iopl_emul = level;
task_update_io_bitmap();
} else {
/*
* Change the flags value on the return stack, which has
* been set up on system-call entry. See also the fork and
* signal handling code how this is handled.
*/
regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) |
(level << X86_EFLAGS_IOPL_BIT);
/* Store the new level in the thread struct */
t->iopl = level << X86_EFLAGS_IOPL_BIT;
/*
* X86_32 switches immediately and XEN handles it via
* emulation.
*/
set_iopl_mask(t->iopl);
}
return 0;
}
|
