Re: A question about PROT_NONE on ARM and ARM26

[Russell King <rmk+lkml@arm.linux.org.uk>]

On Wed, Jun 30, 2004 at 08:14:28PM +0100, Jamie Lokier wrote:
> Russell King wrote:
> > We use three domains - one for user, one for kernel and one for IO.
> > Normally all three are in client mode.  However, on set_fs(KERNEL_DS)
> > we switch the kernel domain to manager mode.
> > 
> > This means that the user-mode LDR instructions (ldrt / ldrlst etc)
> > will not have their page permissions checked, and therefore the access
> > will succeed - exactly as we require.
> 
> Protection permissions (i.e. read-only, PROT_NONE) should still be
> checked after set_fs(KERNEL_DS).  It's only the kernel page vs. user
> page distinction that should be relaxed.
> 
> >From your description, it's not obvious that it'll do the right thing
> in that circumstance.

Trust me, it does.  Unless you fully understand how the MMU and domains
work on ARM, you've little chance of working it out from the code.

Really, I see its pointless trying to discuss the details of this any
further - I presently have very little time to educate people in the
details, sorry.

> Because set_fs() is rarely used, I think you can optimise getuser.S
> and putuser.S on ARM26.  Instead of comparing the address against
> TI_ADDR_LIMIT, compare it against the hard-coded userspace limit.

Wrong.  That means that if userspace passes an address above the hard
coded limit, we _WILL_ bypass all protections and access that memory.

However, ARM26 is not under my control anymore, so it isn't something
I care about, and I doubt there are many people who do.  We're talking
about a 20 year old architecture which hasn't had any conforming devices
produced for at least 10 years.

-- 
Russell King
 Linux kernel    2.6 ARM Linux   - http://www.arm.linux.org.uk/
 maintainer of:  2.6 PCMCIA      - http://pcmcia.arm.linux.org.uk/
                 2.6 Serial core