Port-arm archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: TLS register access trapping failure on Orion

On Tue, Feb 14, 2012 at 11:10:37AM +0100, Reinoud Zandijk wrote:
> >From the ARM9 docs:
> c13, 0, c0, 0 : RW FSCE PID register            *
> c13, 0, c0, 1 : RW Context ID register                  *
> * register can be aparently written in user mode, bug or feature we can block?

Writing the FSCE from userspace has an 'interesting' (unwanted) side effect
for normal (non-TLS) programs.

The high 7 bits of FSCE replace the top bits of any virtual address when
they are zero. Moving the low 32MB addresses up the virtual address space.

This is 'fine' in user space since the page table access permissions are
applied afterwards.
However when the kernel does copyin/out it has explicit checks to stop
accessing kernel space for the 'user' addresses.
But by setting FSCE the user program can subvert the kernel's address
bound checks and copy to/for any kernel address!


David Laight: david%l8s.co.uk@localhost

Home | Main Index | Thread Index | Old Index