From: Jamie Lokier <jamie@shareable.org>
To: David Mosberger-Tang <davidm@hpl.hp.com>, linux-ia64@linuxia64.org
Cc: linux-kernel@vger.kernel.org
Subject: A question about PROT_EXEC-only pages on IA64
Date: Thu, 1 Jul 2004 23:00:58 +0100 [thread overview]
Message-ID: <20040701220058.GA7928@mail.shareable.org> (raw)
Hi IA64 folks,
I'm doing a survey of the different architectural implementations of
PROT_* flags for mmap() and mprotect(). I'm looking at linux-2.6.5.
According to my reading of the source, from include/asm-ia64/pgtable.h
and arch/ia64/mm/fault.c, IA64 on Linux implements the following:
Requested PROT flags | --- R-- -W- RW- --X R-X -WX RWX
=====================+======================================================
ia64 MAP_SHARED | --- r-- !w- rw- *-x r-x !wx rwx
ia64 MAP_PRIVATE | --- r-- !w- rw- *-x r-x !wx rwx
"!" means that a read access raises a signal *sometimes*. This is
because the page protection when the page is installed allows reading,
but if there isn't a page installed, then a read fault will raise a
signal.
(Several architectures have "!" entries, but their places in the table
vary. On x86_64, and i386 with NX, for example, the sequence is "---
r-- !w- rw- r-x r-x rwx rwx": notice no "!" in the -WX case. That's
because of different logic in the fault handler.)
I have a question about about the column with "*". You have
implemented PROT_EXEC-only pages using these flags:
#define __P100 __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_X_RX)
I.e. _PAGE_AR_X_RX. My question is: does this mean that reading those
pages in *kernel* mode will succeed, i.e. so that write() would
succeed in reading from those pages?
If that's the behaviour, and the intention is to create exec-only
pages, then it's a bug. A similar bug has been found on the Sparc for
PROT_NONE pages, which is more serious.
It's not necessarily important on IA64, because IA64 is the _only_
Linux platform which does exec-only pages. (This despite other
hardware being able to have exec-only permissions. See another mail
about that in a few minutes).
I would simply like to know if this is the IA64 behaviour, where a
PROT_EXEC-only area is readable by get_user(), to document it. (It's
possible that I don't understand the technical implications of
_PAGE_AR_X_RX, and that in fact get_user() in kernel won't be able to
read exec-only pages.)
Thanks,
-- Jamie
reply other threads:[~2004-07-01 22:04 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040701220058.GA7928@mail.shareable.org \
--to=jamie@shareable.org \
--cc=davidm@hpl.hp.com \
--cc=linux-ia64@linuxia64.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox