Re: UVM and the NULL page

To: tech-kern%NetBSD.org@localhost
Subject: Re: UVM and the NULL page
From: David Holland <dholland-tech%netbsd.org@localhost>
Date: Wed, 28 Dec 2016 02:27:00 +0000

On Tue, Dec 27, 2016 at 11:15:59AM -0500, Mouse wrote:
 > >> Perhaps it's time to implement null pointers as something other than
 > >> all-bits-zero?
 > > Wouldn't help much; the next obvious (probably only viable) candidate
 > > is all-bits-1 and then you just need a slightly larger offset from it
 > > to jump to userspace.

Plus there's the problem that if one of these accidents occurs, the
kernel is as likely to have accidentally jumped to (or dereferenced
and trusted, or whatever, an explicit null pointer, with whatever bit
encoding that has, as an all-bits-0 pointer. Perhaps more likely.

 > Depends on the architecture.  For example, on the VAX, I would say
 > c0000000 and e0000000 would be prime candidates, because the high
 > quarter of the possible address space is permanently reserved.

Then the bit encoding for null should obviously be 0xdeadbeef :-)

(it is better, i.e., more likely for it to fault if used by accident
even with a large offset, if it's unaligned)

 > Machines with ring-based addressing architectures (does NetBSD run on
 > any such?) might have a ring that's ideal for the purpose.

There's i386... but we don't use a memory model that uses segment
addressing directly. If we did, though, it's segment 0 that's
hardwired to be invalid.

More RISCish architectures generally either don't have a hardwired
reserved region of virtual space, or only have invalid ranges where
you have to assume that some future processor model will eventually
allocate them for something.

If you don't have a hardware-reserved address, then you're designating
a reserved region yourself (regardless of what it is) and relying on
the VM system to not map it. At which point zero is as good (or bad)
as anything else.

There was a bunch of fuss before about being able to "fool" UVM into
mapping at address 0 in spite of this supposedly being disabled; for
some reason the "fix" was to bodge around it rather than to fix UVM to
honor its specification, which I don't understand. If you can fool UVM
into mapping user stuff at 0, what guarantee do you have that you
can't fool UVM into mapping user stuff over the kernel?

I would expect the GE whatsit that Multics ran on would deny execute
permission on less-privileged (and non-"conforming") segments, but
<troll>that hardware's long been irrelevant</troll>.

-- 
David A. Holland
dholland%netbsd.org@localhost

Follow-Ups:
- Re: UVM and the NULL page
  - From: Mouse
- re: UVM and the NULL page
  - From: matthew green
- Re: UVM and the NULL page
  - From: Matt Thomas

References:
- Re: UVM and the NULL page
  - From: Joerg Sonnenberger
- Re: UVM and the NULL page
  - From: Paul Goyette
- Re: UVM and the NULL page
  - From: Wolfgang Solfrank
- Re: UVM and the NULL page
  - From: Maxime Villard
- Re: UVM and the NULL page
  - From: Thor Lancelot Simon
- Re: UVM and the NULL page
  - From: Eduardo Horvath
- Re: UVM and the NULL page
  - From: David Laight
- Re: UVM and the NULL page
  - From: Mouse
- Re: UVM and the NULL page
  - From: David Holland
- Re: UVM and the NULL page
  - From: Mouse

Prev by Date: Re: kernel panic on ibm4xx-based powerpc box with DDB
Next by Date: Re: UVM and the NULL page
Previous by Thread: Re: UVM and the NULL page
Next by Thread: Re: UVM and the NULL page
Indexes:

Home | Main Index | Thread Index | Old Index