Subject: NetBSD master CVS tree commits
To: None <source-changes@NetBSD.ORG>
From: None <source@NetBSD.ORG>
Date: 10/19/1996 09:00:03
Sat Oct 19 01:51:36 PDT 1996
Update of /cvsroot/src/sys/arch/hp300/hp300
In directory netbsd1:/var/slash-tmp/cvs-serv28563
Set up a kernel_map entry for the text segment with protection of
VM_PROT_READ|VM_PROT_EXECUTE. The previous default (VM_PROT_ALL)
would cause the following scenario:
- someone attempts to write kernel text (my test was writing
to an offset of /dev/kmem which was known to be in the text
segment, while in single-user mode).
- enter trap() with MMU fault (because of RO pte).
- trap() calls vm_fault(), which looks up vm_map_entry for
- vm_fault interprets write fault and VM_PROT_WRITE (in VM_PROT_ALL)
as COW; new page allocated, data copied to new page, new page
mapped in at trunc_page(<faulting va>).
- wow, look at the fireworks!
Fixes two potential symptoms:
- kernacc() returns TRUE when checking for permission to write
an offset in kernel text, which is bogus, since the text has
been mapped RO by pmap_bootstrap().
- Handling of a stray pointer that attempted to scribble into
kernel text would not be executed properly.