Re: UVM and the NULL page

To: Eduardo Horvath <eeh%NetBSD.org@localhost>, Thor Lancelot Simon <tls%panix.com@localhost>, Maxime Villard <max%m00nbsd.net@localhost>, tech-kern%netbsd.org@localhost
Subject: Re: UVM and the NULL page
From: Wolfgang Solfrank <Wolfgang%Solfrank.net@localhost>
Date: Tue, 27 Dec 2016 14:12:59 +0100

Hi,

Any cpu that doesn't require special instructions for copyin/out
is susceptible to user processes mapping code to address 0 and
converting a kernel 'jump through unset pointer' from a panic
into a massive security hole (executing process code with the
'supervisor' bit set).


Only if you do a naive implementation of copyin/out. Nothing prevents
you from implementing copyin/out on these cpus by mapping only the
relevant part of the user address space at some reserved address
(maybe even one page at a time), do the copying and then unmap the
user space part. No reason to share the user address space all the
time.

Ciao,
Wolfgang
--
Wolfgang%Solfrank.net@localhost				Wolfgang Solfrank

Follow-Ups:
- Re: UVM and the NULL page
  - From: David Laight

References:
- UVM and the NULL page
  - From: Maxime Villard
- Re: UVM and the NULL page
  - From: Pierre Pronchery
- Re: UVM and the NULL page
  - From: Maxime Villard
- Re: UVM and the NULL page
  - From: Joerg Sonnenberger
- Re: UVM and the NULL page
  - From: Paul Goyette
- Re: UVM and the NULL page
  - From: Wolfgang Solfrank
- Re: UVM and the NULL page
  - From: Maxime Villard
- Re: UVM and the NULL page
  - From: Thor Lancelot Simon
- Re: UVM and the NULL page
  - From: Eduardo Horvath
- Re: UVM and the NULL page
  - From: David Laight

Prev by Date: kernel panic on ibm4xx-based powerpc box with DDB
Next by Date: Re: UVM and the NULL page
Previous by Thread: Re: UVM and the NULL page
Next by Thread: Re: UVM and the NULL page
Indexes:

Home | Main Index | Thread Index | Old Index