Date: Sun, 20 Sep 2009 00:44:25 +1000 (EST) From: Bruce Evans <brde@optusnet.com.au> To: Pieter de Boer <pieter@thedarkside.nl> Cc: freebsd-security@freebsd.org, Julian Elischer <julian@elischer.org> Subject: Re: Protecting against kernel NULL-pointer derefs Message-ID: <20090920001841.G933@besplex.bde.org> In-Reply-To: <4AB3F5DB.5070304@thedarkside.nl> References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> <b8592ed80909180852r6f088176oe60fe598b797d636@mail.gmail.com> <4AB3BEC7.6090409@elischer.org> <4AB3F5DB.5070304@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 18 Sep 2009, Pieter de Boer wrote: > Julian wrote: >> The assumption is that the userland and kernel share a memory map. >> While we do implement it this way, it is not necessarily needed. >> We do it for performance reasons (each user memory map includes an >> identical top section that is the kernel space, so that we do not need >> to switch memory page arenas (change CR3) when entering the kernel. >> However it might be possible to not do this, and in fact on some >> hardware it is mandatory to not do this). >> >> It would require a page table arena switch with each syscall which >> would require flushing the TLBs which would be expensive.. >> Hmm I guess I've talked myself out of this as a solution.. :-) > > So, to be able to run VM86 mode or Wine we could make the NULL mapping > protection a configurable kernel option, (defaulting to 'on'?), which > doscmd/wine users could turn off. Does VM86 mode really require or use mapping to kernel address 0? I think it doesn't and shouldn't, since VM86 mode gets a special %cs which can have a nonzero base address. Hmm, the user %cs is always different from the kernel %cs, so I think it can alway have a nonzero base, but then user addresses would be different from kernel address, which would require large changes and small extra runtime to convert the addresses. VM86 mode would hopefully require only small or null changes since it is already weird. > A nicer way would be to be able to map > 0x0 in userland while having the kernel use its own 0x0 mapping. > Possibly there is a way to do that without making context switches very > expensive? Partial TLB flushes?? Not just context switches, but all kernel entries and exits are relevant. I think the cost of switching the map would be small if you only do it when necessary (on every kernel entry/exit from/to a user context that has pages mapped near address 0). Most switches should be null since most processes shouldn't do that. This can be optimized a bit more by delaying the switch back to the unsafe user map until userland actually accesses a low address. Bruce
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090920001841.G933>