Fractal mapping method is a potential security flaw

[TylerH]

While thinking about the fractal mapping method of mapping the PTs and PD into the address space, it occurred to me that every user PT will be mapped as a user page, since the user bit in each PDE will be read as a user bit when interpreted as a PTE.

An easy solution is to limit user processes from accessing the top of the address space using the limit field of the user GDT entries.

Anyway, just thought I'd mention it in case anyone was currently effected by this bug (as I was).

[Brendan]

Hi,

While thinking about the fractal mapping method of mapping the PTs and PD into the address space, it occurred to me that every user PT will be mapped as a user page, since the user bit in each PDE will be read as a user bit when interpreted as a PTE.

An easy solution is to limit user processes from accessing the top of the address space using the limit field of the user GDT entries.

Anyway, just thought I'd mention it in case anyone was currently effected by this bug (as I was).

There is no security flaw.

The permissions from each level of paging structures are combined, so that if all of them are set to "user" except for one, then CPL=3 code can't access anything.

For fractal mapping, the entire mapping would be "supervisor" (even though things are marked as "user" at lower levels in the paging structures - e.g. page table entries for "plain 32-bit paging") because you'd set it as "supervisor" at the highest level (e.g. the page directory entry for "plain 32-bit paging").



Cheers,

Brendan

[TylerH]

Oh, okay. Then the problem was with my understanding of the significance of the user bit in the PDEs. I assumed that a cleared user bit in the PDE marked the entire PT as privileged. Thanks for the correction.