Securely removing the LDT restrictions (was: DOS4WG under dosemu)

Jamie Lokier (jamie@rebellion.co.uk)
Thu, 30 May 96 17:36 BST


>>>>> "Marty" == Marty Leisner <leisner@sdsp.mc.xerox.com> writes:

Marty> In message
Marty> <Pine.LNX.3.91.960529165936.20247E-100000@elserv.ffm.fgan.de>,
Marty> you write:
>> On Wed, 29 May 1996, Marty Leisner wrote:
>>
>>> > Dos4gw _did_ work in the past. The recent changes to close the
>>> LDT > security hole broke it. > Is it possible to ifdef these
>>> changes?
>>>
>> Sorry Marty, this is deep in the kernel (LDT), and it is not
>> dosemu-special. We will now have to emulate, what we did not
>> need to emulate before.

I could be wrong, but was the LDT security fix simply a matter of
ensuring that LDT segments don't cover the kernel linear address range,
0xc0000000-0xffffffff?

If so, that is likely to break a number of protected-mode DOS
applications in dosemu. Essentially, any application that wants to use
a flat memory model (no selectors) for all its memory access won't work.
>From what I know of DOS4GW, I think that is all DOS4GW applications!
DJGPP runs fine in dosemu for me, but not programs that try to map low
video memory into their flat address range.

The problem is that some programs rely on being able to set an LDT entry
that covers the entire address range. Protection is provided by the
paging mechanism instead. The kernel's `modify_ldt' function doesn't
allow that, so those programs don't work.

All kernel pages should have _PAGE_KERNEL page-table entries, so they
are inaccessible to user processes anyway, regardless of settings in the
LDT. So why is the range delineated by an LDT entry restricted?

The LDT address range check was added for the sake of security, so I
must have missed something. Anyone care to fill me in?

`modify_ldt' is still needed (rather than a writable, mmap'd
/proc/self/ldt), to prevent the creation of system segments.

MS-Windows apparently allows LDT entries that cover the entire address
range, BTW. (I haven't tried it, but the DJGPP documentation says that
it can).

Cheers,
-- Jamie