Doesn't allowing a user mode program to access kernel space memory and execute the IN and OUT instructions...
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
edited 6 hours ago
ilkkachu
60.7k1098172
asked 7 hours ago
user341099user341099
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
edited 6 hours ago
ilkkachu
60.7k1098172
asked 7 hours ago
user341099user341099
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
edited 6 hours ago
ilkkachu
60.7k1098172
asked 7 hours ago
user341099user341099
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
When the CPU is in user mode, the CPU can't execute privileged instructions and can't access kernel space memory.
And when the CPU is in kernel mode, the CPU can execute all instructions and can access all memory.
Now in Linux, a user mode program can access all memory (using /dev/mem) and can execute the two privileged instructions IN and OUT (using iopl() I think).
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
linux
linux
edited 6 hours ago
ilkkachu
60.7k1098172
asked 7 hours ago
user341099user341099
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 6 hours ago
ilkkachu
60.7k1098172
asked 7 hours ago
user341099user341099
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 6 hours ago
ilkkachu
60.7k1098172
edited 6 hours ago
ilkkachu
60.7k1098172
edited 6 hours ago
ilkkachu
60.7k1098172
60.7k1098172
asked 7 hours ago
user341099user341099
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 7 hours ago
user341099user341099
261
asked 7 hours ago
user341099user341099
261
261
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
user341099 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all use mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited 6 hours ago
Stephen Kitt
175k24400477
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
46 mins ago
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
user341099 is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505527%2fdoesnt-allowing-a-user-mode-program-to-access-kernel-space-memory-and-execute-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all use mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited 6 hours ago
Stephen Kitt
175k24400477
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
46 mins ago
add a comment |
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all use mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited 6 hours ago
Stephen Kitt
175k24400477
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
46 mins ago
add a comment |
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all use mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited 6 hours ago
Stephen Kitt
175k24400477
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
So a user mode program in Linux can do most things (I think most things) that can be done in kernel mode.
Well, not all use mode programs can, only those with the appropriate privileges. And that's determined by the kernel.
/dev/mem is protected by the usual filesystem access permissions, and the CAP_SYS_RAWIO capability. iopl() and ioperm() are also restricted through the same capability.
/dev/mem can also be compiled out of the kernel altogether (CONFIG_DEVMEM).
Doesn't allowing a user mode program to have all this power defeats the purpose of having CPU modes?
Well, maybe. It depends on what you want privileged user-space processes to be able to do. User-space processes can also trash the whole hard drive if they have access to /dev/sda (or equivalent), even though that defeats the purpose of having a filesystem driver to handle storage access.
(Then there's also the fact that iopl() works by utilizing the CPU privilege modes on i386, so it can't well be said to defeat their purpose.)
edited 6 hours ago
Stephen Kitt
175k24400477
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
edited 6 hours ago
Stephen Kitt
175k24400477
edited 6 hours ago
Stephen Kitt
175k24400477
edited 6 hours ago
Stephen Kitt
175k24400477
175k24400477
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
answered 6 hours ago
ilkkachuilkkachu
60.7k1098172
60.7k1098172
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
46 mins ago
add a comment |
Eveniopldoesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally runinvdby jumping through a corrupted function pointer that points at executable memory starting with0F 08bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.
– Peter Cordes
46 mins ago
Even
iopl doesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally run invd by jumping through a corrupted function pointer that points at executable memory starting with 0F 08 bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.– Peter Cordes
46 mins ago
Even
iopl doesn't allow all privileged instructions, so it's still useful for making sure a buggy user-space program doesn't accidentally run invd by jumping through a corrupted function pointer that points at executable memory starting with 0F 08 bytes. I added an answer with some of the non-security reasons why it's useful to have user-space processes elevate their privileges.– Peter Cordes
46 mins ago
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
add a comment |
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
Only in the same way that modprobe "defeats" security by loading new code into the kernel.
For various reasons, sometimes it makes more sense to have semi-privileged code (like graphics drivers inside the X server) running in user-space rather than a kernel thread.
- Being able to
killit more easily, unless it locks up the HW. - Having it demand-page its code / data from files in the filesystem. (Kernel memory is not pageable)
- Giving it its own virtual address space where bugs in the X server might just crash the X server, without taking down the kernel.
It doesn't do much for security, but there are big reliability and software architecture advantages.
Baking graphics drivers into the kernel might reduce context switches between X clients and X server, like just one user->kernel->user instead of having to get data into another use-space process, but X servers historically are too big and too buggy to want them fully in kernel.
Yes, malicious code with these privs could take over the kernel if it wanted to, using /dev/mem to modify kernel code.
Or on x86 for example, run a cli instruction to disable interrupts on that core after making an iopl system call to set its IO privilege level to ring 0.
But even x86 iopl "only" gives access to some instructions: in/out (and the string versions ins/outs), and cli/sti. It doesn't let you use rdmsr or wrmsr to read or write "model specific registers" (e.g. IA32_LSTAR which sets the kernel entry point address for the x86-64 syscall instruction), or use lidt to replace the interrupt-descriptor table (which would let you totally take over the machine from the existing kernel, at least on that core.)
You can't even read control registers (like CR3 which holds the physical address of the top-level page-directory, which an attacking process might find useful as an offset into /dev/mem to modify its own page tables as an alternative to mmaping more of /dev/mem.)
invd (invalidate all caches without write-back!! (use case = early BIOS before RAM is configured)) is another fun one that always requires full CPL 0 (current privilege level), not just IOPL. Even wbinvd is privileged because it's so slow (and not interruptible), and has to flush all caches across all cores. (See Is there a way to flush the entire CPU cache related to a program? and WBINVD instruction usage)
Bugs that result in a jump to a bad address running data as code thus can't execute any of these instructions by accident in a user-space X server.
The current privilege level (in protected and long mode) is the low 2 bits of cs (the code segment selector). mov eax, cs / and eax, 3 works in any mode to read the privilege level.
To write the privilege level, you do a jmp far or call far to set CS:RIP (but the GDT/LDT entry for the target segment can restrict it based on the old privilege level, which is why user-space can't do this to elevate itself). Or you use int or syscall to switch to ring 0 at a kernel entry point.
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
answered 1 hour ago
Peter CordesPeter Cordes
4,2431432
4,2431432
add a comment |
add a comment |
user341099 is a new contributor. Be nice, and check out our Code of Conduct.
user341099 is a new contributor. Be nice, and check out our Code of Conduct.
user341099 is a new contributor. Be nice, and check out our Code of Conduct.
user341099 is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f505527%2fdoesnt-allowing-a-user-mode-program-to-access-kernel-space-memory-and-execute-t%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
