From: Ralf Baechle <ralf@linux-mips.org>
To: Dominic Sweetman <dom@algor.co.uk>
Cc: Carsten Langgaard <carstenl@mips.com>,
Dominic Sweetman <dom@mips.com>,
chris@mips.com, kevink@mips.com, linux-mips@linux-mips.org
Subject: Re: The 64-bit version of __access_ok is broken.
Date: Mon, 9 Dec 2002 19:38:08 +0100 [thread overview]
Message-ID: <20021209193808.B27999@linux-mips.org> (raw)
In-Reply-To: <15860.33900.117478.251574@gladsmuir.algor.co.uk>; from dom@algor.co.uk on Mon, Dec 09, 2002 at 11:54:20AM +0000
On Mon, Dec 09, 2002 at 11:54:20AM +0000, Dominic Sweetman wrote:
> I'd like to be clear about the consequences of this. Presumably the
> 'access_ok()' macro is used to check addresses which were (originally)
> provided by a user program's system call.
>
> Carsten, are you saying that if such an address is set to say 2**41 in
> a CPU supporting 40-bit user virtual addresses, that the kernel will
> crash?
That's correct. The problem which Carsten diagnosed correctly was the
assumption which has been inherited from the 32-bit kernel that the sign-
bit makes the difference between valid userspace and kernelspace
addresses.
Linux doesn't use the supervisor mode so basically that assumption is still
true with the except of the area 2^PHYSBITS ... 2^63-1.
> If so, that seems to require a fix, even if we don't know a very
> efficient one. But perhaps any problem is a bit more subtle than
> that?
Access_ok is a macro which depending on kernel configuration is expanded
hundreds, if not thousands of times throughout the kernel. So every single
machine instruction in access_ok will make a size difference of several
kB. Carsten's patch was performing pretty badly in that cathegory. If
access_ok wasn't used that often the issue certainly wasn't worth the fuzz.
Access_ok is of course only usable in C code. We also have a few piece of
assembler code that access userspace and need to perform the same kind of
address validation tests. Carsten's patch was missing these completly. As
such it did only reduce the window of this bug from huge to "just" big.
An efficient solution only requires fairly minor changes as you can see in
the patch I just posted. It doesn't even require thinking, it can be
obtained by cut'n'paste from the Alpha code. Alternatively the problem
could also have been solved by forwarding address errors for the address
range in question to the page fault handler which would have served the
same purpose, maybe even a tad more efficient but ofuscated ...
Ralf
next prev parent reply other threads:[~2002-12-16 9:39 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-05 15:28 The 64-bit version of __access_ok is broken Carsten Langgaard
2002-12-09 4:18 ` Ralf Baechle
2002-12-09 9:30 ` Carsten Langgaard
2002-12-09 11:54 ` Dominic Sweetman
2002-12-09 12:27 ` Carsten Langgaard
2002-12-09 18:38 ` Ralf Baechle [this message]
2002-12-10 7:50 ` Carsten Langgaard
2002-12-10 12:40 ` Ralf Baechle
2002-12-09 16:36 ` Ralf Baechle
2002-12-10 8:55 ` Carsten Langgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20021209193808.B27999@linux-mips.org \
--to=ralf@linux-mips.org \
--cc=carstenl@mips.com \
--cc=chris@mips.com \
--cc=dom@algor.co.uk \
--cc=dom@mips.com \
--cc=kevink@mips.com \
--cc=linux-mips@linux-mips.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.