How does mmap’ing /dev/mem work despite being from unprivileged mode

mmapprivileges

As far as my understanding goes, User space programs run in the unprivileged mode, and thus do not have direct access to memory or I/O.

Then how exactly can we directly access memory or I/O locations when we mmap /dev/mem in user space programs?

For example:

int fd = 0;
u8 leds = 0;
fd = open("/dev/mem", O_RDWR|O_SYNC);
leds = (u8 *)mmap(0, getpagesize(), PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0x80840000);

This is a hack very commonly used in embedded devices.

Now the variable leds can be used on the fly to access any device that could be present at 0x80840000.

We won't be using any system call to access that address anymore.

Even something like

leds[0x20] = val;

would work.

But privileged operations, such as reading/writing directly to/from an I/O address should be possible only by putting the processor to privileged mode through a system call.

Source.

Best Answer

Allowing access to /dev/mem by unprivileged processes would indeed be a security problem and should not be permitted.

On my system, ls -l /dev/mem looks like this:

crw-r----- 1 root kmem 1, 1 Sep  8 10:12 /dev/mem

So root can read and write it, members of the kmem group (of which there happen to be none) can read it but not write it, and everyone else cannot open it at all. So this should be secure.

If your /dev/mem is anything like mine, your unprivileged process should not even have been able to open the file at all, let alone mmap it.

Check the permissions of /dev/mem on your system to make sure they are secure!

Related Solutions

How does the set-user-ID mechanism work in Unix

You might know the normal read, write and execute permissions for files in unix.

However, in many applications, this type of permission structure--e.g. giving a given user either full permission to read a given file, or no permission at all to read the file--is too coarse. For this reason, Unix includes another permission bit, the set-user-ID bit. If this bit is set for an executable file, then whenever a user other than the owner executes the file, that user acquires all the file read/write/execute privileges of the owner in accessing any of the owner's other files!

To set the set-user-ID bit for a file, type

 chmod u+s filename

Make sure that you have set group-other execute permission too; it would be nice to have group-other read permission as well. All of this can be done with the single statement

 chmod 4755 filename

It is also referred to as Saved UID. A file that is launched that has a Set-UID bit on, the saved UID will be the UID of the owner of the file. Otherwise, saved UID will be the Real UID.

What is effective uid ?

This UID is used to evaluate privileges of the process to perform a particular action. EUID can be changed either to Real UID, or Superuser UID if EUID!=0. If EUID=0, it can be changed to anything.

Example

An example of such program is passwd. If you list it in full, you will see that it has Set-UID bit and the owner is "root". When a normal user, say "mtk", runs passwd, it starts with:

Real-UID = mtk  
Effective-UID = mtk  
Saved-UID = root

Reference link 1
Reference link 2

Linux – what is the purpose of memory overcommitment on Linux

The reason for overcommitting is to avoid underutilization of physical RAM. There is a difference between how much virtual memory a process has allocated and how much of this virtual memory has been actually mapped to physical page frames. In fact, right after a process is started, it reserves very little RAM. This is due to demand paging: the process has a virtual memory layout, but the mapping from the virtual memory address to a physical page frame isn't established until the memory is read or written.

A program typically never uses its whole virtual memory space, and the memory areas touched varies during the run of the program. For example, mappings to page frames containing initialization code that is executed only at the start of the run can be discarded and the page frames can be used for other mappings.

The same applies to data: when a program calls malloc, it reserves a sufficiently large contiguous virtual address space for storing data. However, mappings to physical page frames are not established until the pages are actually used, if ever. Or consider the program stack: every process gets a fairly big contiguous virtual memory area set aside for the stack (typically 8 MB). A process typically uses only a fraction of this stack space; small and well-behaving programs use even less.

A Linux computer typically has a lot of heterogeneous processes running in different stages of their lifetimes. Statistically, at any point in time, they do not collectively need a mapping for every virtual page they have been assigned (or will be assigned later in the program run).

A strictly non-overcommitting scheme would create a static mapping from virtual address pages to physical RAM page frames at the moment the virtual pages are allocated. This would result in a system that can run far fewer programs concurrently, because a lot of RAM page frames would be reserved for nothing.

I don't deny that overcommitting memory has its dangers, and can lead to out-of-memory situations that are messy to deal with. It's all about finding the right compromise.