Subject: Re: copyout and address space overflows
To: None <tech-kern@netbsd.org>
From: Joerg Sonnenberger <joerg@britannica.bec.de>
List: tech-kern
Date: 11/16/2006 22:39:30
On Thu, Nov 16, 2006 at 12:44:57PM -0800, Jason Thorpe wrote:
>
> On Nov 16, 2006, at 10:15 AM, Joerg Sonnenberger wrote:
>
> >On Thu, Nov 16, 2006 at 09:43:20AM -0800, Jason Thorpe wrote:
> >>m68k platforms based on the Hibler pmap (i.e. all of them but sun2/
> >>sun3/sun3x) have completely separate 32-bit address spaces for kernel
> >>and user space.
> >
> >Is the kernel space using the full 32bit address space or only
> >31bit? In
> >the latter case, this would still catch the issues. Checking for
> >overflows in the src domain would make sense as well.
>
> Full separate 32-bit address space. The Motorola MMU supports this.
Hm. We could place a reservation at the 31bit boundary and check that
the input for copyout does not cross it or wrap around, which is a
generalised version of what i386 implicitly does with the userspace
limit check.
Joerg