Re: [PATCHv1, RFC 0/8] Boot-time switching between 4- and 5-level paging

From: Andy Lutomirski
Date: Fri May 26 2017 - 03:22:10 EST

Next message: Jun Gao: "[PATCH v4 0/2] Add i2c dt-binding and device node for Mediatek MT2701 Soc"
Previous message: Ian Kent: "[ANNOUNCE] autofs 5.1.3 release"
In reply to: Kevin Easton: "Re: [PATCHv1, RFC 0/8] Boot-time switching between 4- and 5-level paging"
Next in thread: Kirill A. Shutemov: "Re: [PATCHv1, RFC 0/8] Boot-time switching between 4- and 5-level paging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, May 25, 2017 at 9:18 PM, Kevin Easton <kevin@xxxxxxxxxxx> wrote:
> (If it weren't for that, maybe you could point the last entry in the PML4
> at the PML4 itself, so it also works as a PML5 for accessing kernel
> addresses? And of course make sure nothing gets loaded above
> 0xffffff8000000000).

This was an old trick done for a very different reason: it lets you
find your page tables at virtual addresses that depend only on the VA
whose page table you're looking for and the top-level slot that points
back to itself. IIRC Windows used to do this for its own memory
management purposes. A major downside is that an arbitrary write
vulnerability lets you write your own PTEs without any guesswork.

--Andy

Next message: Jun Gao: "[PATCH v4 0/2] Add i2c dt-binding and device node for Mediatek MT2701 Soc"
Previous message: Ian Kent: "[ANNOUNCE] autofs 5.1.3 release"
In reply to: Kevin Easton: "Re: [PATCHv1, RFC 0/8] Boot-time switching between 4- and 5-level paging"
Next in thread: Kirill A. Shutemov: "Re: [PATCHv1, RFC 0/8] Boot-time switching between 4- and 5-level paging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]