From: Christopher Neufeld <neufeld@physics.utoronto.ca>
To: hppa-linux@thepuffingroup.com
Subject: [hppa-linux] Gateway instructions
Date: Thu, 18 Mar 1999 09:35:58 -0500 (EST) [thread overview]
Message-ID: <199903181435.JAA14215@caliban.physics.utoronto.ca> (raw)
Hello folks,
I'm wondering if anybody's got a handle on how gateway instructions
are supposed to work. The instruction is designed to allow jumps into the
kernel, with privilege promotion, without invoking the cost of an
interrupt, by branching into a page and then taking on the privilege
level of the page. The only safety check seems to be in the "B" bit,
which would appear to prohibit the target of such a jump being, itself,
another jump.
How does this work, now? Is the target of the gateway instruction
intended to be simply a vector table of other jumps, preceded by some
non-branch instruction which forms the taget of the gateway? After all,
if I am permitted to choose my entry point into a kernel function, I can
do bad things, at the very least crash the kernel, but also probably
subvert it quite easily. Access control seems to be limited to the page,
not forbidding jumps into other parts of the code within the same page.
And what is the "B" bit in the processor status supposed to do in all
this?
Is there a misprint in the book (or a misunderstanding on my part)? If
the "B" bit produces an exception when the target of the gateway is _not_
another jump, then I can see how this can be easily constructed into a
vector table into kernel functions without compromising security.
--
Christopher Neufeld neufeld@physics.utoronto.ca
Home page: http://caliban.physics.utoronto.ca/neufeld/Intro.html
"Don't edit reality for the sake of simplicity"
next reply other threads:[~1999-03-18 14:36 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
1999-03-18 14:35 Christopher Neufeld [this message]
1999-03-18 16:55 ` [hppa-linux] Gateway instructions Mike Shaver
1999-03-18 18:05 ` Alan Cox
-- strict thread matches above, loose matches on Subject: below --
1999-03-18 17:34 Bjorn Helgaas
1999-03-18 18:43 Cary Coutant
1999-03-18 21:51 ` Mike Shaver
1999-03-19 15:40 ` Kumar
1999-03-19 1:38 Cary Coutant
1999-03-19 6:10 ` Mike Shaver
1999-03-19 6:58 ` Mike Shaver
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=199903181435.JAA14215@caliban.physics.utoronto.ca \
--to=neufeld@physics.utoronto.ca \
--cc=hppa-linux@thepuffingroup.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox