Re: UVM and the NULL page

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Sat, Jul 30, 2016 at 11:52:59AM +0200, Maxime Villard wrote:
> Le 30/07/2016 ? 01:35, Wolfgang Solfrank a ?crit :
> > Actually, if this nonsense is committed, I will stop contributing
> > to NetBSD!
> > 
> 
> ? Leave, then.

This is way, way out of line.  Wolfgang has made many important
contributions to NetBSD, as have you.

What I understand him to be objecting to is something I percieve,
too: that you don't appear willing to actually make any adjustment
to your planned changes after discussion.

That makes it seem as if you're only discussing them to check a box
("must discuss changes before commit") -- not in the genuine spirit of
discussion.

On the other hand, at least one or two people really do seem to have
become frustrated enough to start lecturing you as if you simply
must accept their point of view instead of your own, which is also
not OK.

I for one am extremely grateful we have finally found someone who is
willing to dig into the nastiest corners of our x86 code and try to
make it rational.  It's been a long time.  So I hope you stay
engaged with NetBSD.

Still, I think it is important for you to accept that that means you'll
need to do some explaining and teaching, and even some waiting for other
people to understand before you check code in (or, at time, changing
what you plan to check in), because it will quickly become the case that
most people simply do not understand what you're doing or why.

In this case, I think I understand the details of the disagreement well
enough to summarize both sides.  Please tell me if I'm wrong.

1) amd64 partially shares VA space between the kernel and userland.  It
   is not unique in this but most architectures do not.

2) This means that the *userland* vulnerability which exists on almost all
   platforms (do we have any which force-map 0 to a page of zeroes?  some
   kernels do) can actually be used as a trampoline of sorts to grant
   arbitrary code execution *in the kernel* if one can find any NULL deref
   in the kernel.  Have I got that right?  I am least sure of this part.

   This isn't a theoretical problem.  Android had it (in a slightly
   different form) and I've seen it used to root a phone.  I've seen a
   similar vulnerability used to break out of a router "guest OS" into
   the host kernel and take over a supposedly hardened firewall.

3) Some people don't get it that there's a kernel vulnerability, because
   they're thinking of just the typical userland code-execution bug.  Or
   maybe I misunderstand and there is in fact only the userland bug.

4) Some people think your proposal to fix this by adding a pair of MD
   constants to UVM and making the VA checks generic across platforms
   does not adequately encapsulate this change which seems to benefit
   only a single architecture.  They would prefer such changes to be
   made in the existing MD component of the VM system (the pmap) rather
   than in the MI components.

5) You think your proposed fix is small and is appropriately MD and do
   not think it is worth fully encapsulating your change in the pmap
   layer.  For what it's worth, if any other architecture suffers from
   this problem, I think I agree.

Does that correctly summarize the situation and the disagreements?

Thor