Re: Potenitial security hole in the kernel

From: Jamie Lokier (lk@tantalophile.demon.co.uk)
Date: Tue May 29 2001 - 05:14:03 EST

Next message: david: "toshiba(freecom) USB cdrom kernel panic"
Previous message: Jens Axboe: "Re: [PATCH] panic in scsi_free/sr_scatter_pad"
In reply to: Chris Wedgwood: "Re: Potenitial security hole in the kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Chris Wedgwood wrote:
> By the way, the context stored on the stack is entirely a user
> space context, however it does include some information from the
> kernel that may be useful to user space, such as a page fault
> address.
>
> I actually (ab)used this for userspace paging with mprotect and
> friends.... nasty hack :)

Aye, and it's nice to see that Linux is relatively fast at this.
(See attached table).

Various garbage collectors do this to track dirty pages (clisp, Elk and
Hans Boehm's GC which is now part of the GCC distribution come to mind).
It's a shame this doesn't work for system calls like read(), as they
return EFAULT instead of calling the signal handler. (It could be made
to work with some effort).

-- Jamie

Timing measurements
===================

   Here are some rough timings to handle a write protection faults and
   change protection from read-only to writable, page by page in
   sequential order. 2000 pages were faulted, in a region of
   memory-mapped /dev/zero.

   The times given are the total running time divided by the number of
   pages, so they including the time to call mprotect to unprotect each
   page. They are given in microseconds per page, and only the best
   observed time is shown. The first column is the time to dirty a zero
   page for the first time (the OS must process a second page fault and
   COW/allocate a new page in these cases). The second column is the
   time to unprotect a page that is already modified, which is the
   typical scenario for an incremental garbage collector.

     133MHz Pentium Linux 2.3.29 85.52 37.13 (page == 4096).
     233MHz dual Pentium II Linux 2.2.17-4 51.17 23.27 (page == 4096).
     233MHz Pentium II Linux 2.4.4 51.15 16.60 (page == 4096).
     300MHz Pentium II Linux 2.4.4 39.84 13.02 (page == 4096).
     366MHz Intel Celeron Linux 2.4.4 38.83 13.02 (page == 4096).
     400MHz Pentium II Linux 2.4.2 35.83 12.46 (page == 4096).
     600MHz Pentium III Linux 2.4.4 33.60 8.12 (page == 4096).
     600MHz Pentium III Linux 2.2.14-5 27.28 7.75 (page == 4096).
     600MHz Pentium III Linux 2.2.17-4 28.62 9.36 (page == 4096).
     PA-RISC HP-UX (which speed?) 108.44 60.34 (page == 4096).
     Sparc Ultra-1 SunOS 5.6 256.69 209.03 (page == 8192).
     Sparc SunOS 5.7 machine #1 158.26 102.26 (page == 8192).
     Sparc SunOS 5.7 machine #2 190.09 139.25 (page == 8192).
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: david: "toshiba(freecom) USB cdrom kernel panic"
Previous message: Jens Axboe: "Re: [PATCH] panic in scsi_free/sr_scatter_pad"
In reply to: Chris Wedgwood: "Re: Potenitial security hole in the kernel"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu May 31 2001 - 21:00:39 EST