The History of a Security Hole
3 days ago
- #OpenBSD
- #x86
- #security
- A user process on 32-bit i386 OpenBSD 6.3 could crash the OS due to a security hole allowing access to I/O ports.
- The issue traces back to the Intel 80386's I/O permission bit map (IOPB) design, added late in the 386's development.
- The IOPB was intended to allow per-task I/O port access permissions but was poorly documented and implemented.
- OpenBSD and NetBSD had bugs in their Task State Segment (TSS) handling, leading to unintended I/O port access.
- OpenBSD's fix in 2000 inadvertently expanded the IOPB size, allowing access to more ports than intended.
- In 2016, OpenBSD removed IOPB-related APIs but left a critical bug, allowing user processes to access many I/O ports.
- The bug was fixed in OpenBSD 6.2 and 6.3 by correctly setting the TSS limit to exclude the IOPB.
- Other OSes like Windows and OS/2 handle the IOPB differently, often setting the IOPB offset past the TSS limit.
- The saga highlights the dangers of incomplete documentation, complex hardware design, and subtle programming errors.