Re: TLS register access trapping failure on Orion

To: port-arm%NetBSD.org@localhost
Subject: Re: TLS register access trapping failure on Orion
From: David Laight <david%l8s.co.uk@localhost>
Date: Wed, 15 Feb 2012 22:37:16 +0000

On Tue, Feb 14, 2012 at 11:10:37AM +0100, Reinoud Zandijk wrote:
> 
> >From the ARM9 docs:
> c13, 0, c0, 0 : RW FSCE PID register            *
> c13, 0, c0, 1 : RW Context ID register                  *
...
> * register can be aparently written in user mode, bug or feature we can block?

Writing the FSCE from userspace has an 'interesting' (unwanted) side effect
for normal (non-TLS) programs.

The high 7 bits of FSCE replace the top bits of any virtual address when
they are zero. Moving the low 32MB addresses up the virtual address space.

This is 'fine' in user space since the page table access permissions are
applied afterwards.
However when the kernel does copyin/out it has explicit checks to stop
accessing kernel space for the 'user' addresses.
But by setting FSCE the user program can subvert the kernel's address
bound checks and copy to/for any kernel address!

        David

-- 
David Laight: david%l8s.co.uk@localhost

References:
- Re: TLS register access trapping failure on Orion
  - From: Reinoud Zandijk

Prev by Date: undefined instruction Re: TLS register access trapping failure on Orion
Next by Date: Warning: keep an eye on your power supplies
Previous by Thread: undefined instruction Re: TLS register access trapping failure on Orion
Next by Thread: Call for testing: Mini2440 port
Indexes:

Home | Main Index | Thread Index | Old Index