Date: Sat, 19 Sep 2009 19:48:37 +0300 From: Kostik Belousov <kostikbel@gmail.com> To: Bruce Evans <brde@optusnet.com.au> Cc: freebsd-security@freebsd.org, Pieter de Boer <pieter@thedarkside.nl>, Julian Elischer <julian@elischer.org> Subject: Re: Protecting against kernel NULL-pointer derefs Message-ID: <20090919164837.GF47688@deviant.kiev.zoral.com.ua> In-Reply-To: <20090920001841.G933@besplex.bde.org> References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> <b8592ed80909180852r6f088176oe60fe598b797d636@mail.gmail.com> <4AB3BEC7.6090409@elischer.org> <4AB3F5DB.5070304@thedarkside.nl> <20090920001841.G933@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--ufKotkMdkVlnDasC Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 20, 2009 at 12:44:25AM +1000, Bruce Evans wrote: > On Fri, 18 Sep 2009, Pieter de Boer wrote: >=20 > >Julian wrote: > >>The assumption is that the userland and kernel share a memory map. > >>While we do implement it this way, it is not necessarily needed. > >>We do it for performance reasons (each user memory map includes an > >>identical top section that is the kernel space, so that we do not need > >>to switch memory page arenas (change CR3) when entering the kernel. > >>However it might be possible to not do this, and in fact on some > >>hardware it is mandatory to not do this). > >> > >>It would require a page table arena switch with each syscall which > >>would require flushing the TLBs which would be expensive.. > >>Hmm I guess I've talked myself out of this as a solution.. :-) > > > >So, to be able to run VM86 mode or Wine we could make the NULL mapping > >protection a configurable kernel option, (defaulting to 'on'?), which > >doscmd/wine users could turn off. >=20 > Does VM86 mode really require or use mapping to kernel address 0? I think > it doesn't and shouldn't, since VM86 mode gets a special %cs which can > have a nonzero base address. Hmm, the user %cs is always different from > the kernel %cs, so I think it can alway have a nonzero base, but then > user addresses would be different from kernel address, which would require > large changes and small extra runtime to convert the addresses. VM86 > mode would hopefully require only small or null changes since it is alrea= dy > weird. In vm86 mode, %cs works exactly the same as in real mode, as well as all other segment registers. vm86-mode code is free to load any 16bit value into any segment register, and virtual address is calculated as (seg << 4) + offset. >=20 > >A nicer way would be to be able to map > >0x0 in userland while having the kernel use its own 0x0 mapping. > >Possibly there is a way to do that without making context switches very > >expensive? Partial TLB flushes?? >=20 > Not just context switches, but all kernel entries and exits are relevant. > I think the cost of switching the map would be small if you only do > it when necessary (on every kernel entry/exit from/to a user context > that has pages mapped near address 0). Most switches should be null > since most processes shouldn't do that. This can be optimized a bit > more by delaying the switch back to the unsafe user map until userland > actually accesses a low address. Redhat did that some time ago, but do not any more. --ufKotkMdkVlnDasC Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkq1C2UACgkQC3+MBN1Mb4j54gCdFJPQk5Hf/kUJNSRdaxJ/FS6L rOoAoLzIqWK45ZT83ZrL9eW7qKp3q0Ei =YaIS -----END PGP SIGNATURE----- --ufKotkMdkVlnDasC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20090919164837.GF47688>