Doesn't allowing a user mode program to access kernel space memory and execute the IN and OUT instructions defeat the purpose of having CPU modes?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
asked Mar 10 at 20:57
user341099user341099
963
add a comment |
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
asked Mar 10 at 20:57
user341099user341099
963
add a comment |
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
asked Mar 10 at 20:57
user341099user341099
963
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
linux
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
asked Mar 10 at 20:57
user341099user341099
963
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
asked Mar 10 at 20:57
user341099user341099
963
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
edited Mar 10 at 21:34
ilkkachu
63.3k10104181
63.3k10104181
asked Mar 10 at 20:57
user341099user341099
963
asked Mar 10 at 20:57
user341099user341099
963
asked Mar 10 at 20:57
user341099user341099
963
963
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all user mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited Mar 11 at 12:21
Toby Speight
5,56811234
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
2
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
Mar 11 at 3:39
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505527%2fdoesnt-allowing-a-user-mode-program-to-access-kernel-space-memory-and-execute-t%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all user mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited Mar 11 at 12:21
Toby Speight
5,56811234
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
2
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
Mar 11 at 3:39
add a comment |
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all user mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited Mar 11 at 12:21
Toby Speight
5,56811234
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
2
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
Mar 11 at 3:39
add a comment |
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all user mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited Mar 11 at 12:21
Toby Speight
5,56811234
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all user mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited Mar 11 at 12:21
Toby Speight
5,56811234
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
edited Mar 11 at 12:21
Toby Speight
5,56811234
edited Mar 11 at 12:21
Toby Speight
5,56811234
edited Mar 11 at 12:21
Toby Speight
5,56811234
5,56811234
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
answered Mar 10 at 21:31
ilkkachuilkkachu
63.3k10104181
63.3k10104181
2
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
Mar 11 at 3:39
add a comment |
2
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
Mar 11 at 3:39
2
2
Even
iopl doesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally run invd by jumping through a corrupted function pointer that points at executable memory starting with 0F 08 bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.– Peter Cordes
Mar 11 at 3:39
Even
iopl doesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally run invd by jumping through a corrupted function pointer that points at executable memory starting with 0F 08 bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.– Peter Cordes
Mar 11 at 3:39
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
answered Mar 11 at 3:10
Peter CordesPeter Cordes
4,5831434
4,5831434
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
add a comment |
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
Actually, I'm pretty certain it's just code "selector" in Intel parlace. It was a segment in the 8086/8088, possibly in the 80186, but by the 80286, it was referred to as a selector, and I don't think they've officially changed that terminology since.
– a CVn
Mar 11 at 20:07
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505527%2fdoesnt-allowing-a-user-mode-program-to-access-kernel-space-memory-and-execute-t%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
