projects / freebsd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cfbe0c6) | patch
PTI: Trap if we returned to userspace with kernel (full) page table
authorkib <kib@FreeBSD.org>
Fri, 19 Jan 2018 22:10:29 +0000 (22:10 +0000)
committerkib <kib@FreeBSD.org>
Fri, 19 Jan 2018 22:10:29 +0000 (22:10 +0000)
commitb4c82b3b07aa5cc45c693e250bd98ff2a991e45f
treeb2b412623576c740bd6e14b646ca08748678fe89tree | snapshot
parentcfbe0c6679ffe6d76cbcf94536c75cf930b5702ccommit | diff
PTI: Trap if we returned to userspace with kernel (full) page table
still active.

Map userspace portion of VA in the PTI kernel-mode page table as
non-executable. This way, if we ever miss reloading ucr3 into %cr3 on
the return to usermode, the process traps instead of executing in
potentially vulnerable setup.  Catch the condition of such trap and
verify user-mode %cr3, which is saved by page fault handler.

I peek this trick in some article about Linux implementation.

Reviewed by: alc, markj (previous version)
Sponsored by: The FreeBSD Foundation
MFC after: 12 days
DIfferential revision: https://reviews.freebsd.org/D13956
sys/amd64/amd64/exception.S diff | blob | blame | history
sys/amd64/amd64/genassym.c diff | blob | blame | history
sys/amd64/amd64/pmap.c diff | blob | blame | history
sys/amd64/amd64/trap.c diff | blob | blame | history
sys/amd64/include/asmacros.h diff | blob | blame | history
sys/amd64/include/pcb.h diff | blob | blame | history
sys/amd64/include/pcpu.h diff | blob | blame | history
FreeBSD Project Source