[Cbe-oss-dev] 64k pages vs. problem state register mappings

Arnd Bergmann arnd at arndb.de
Wed Jun 7 09:27:22 EST 2006


The current kernel tree (with the 2.6.16-arnd4 patches) enables
64kb pages by default, but still has a bug in there.

The problem is that some of the problem state register area
files (mss, mfc, cntl) are mapping pages of physical size 4k,
which they all reside in the same 64k page. Similarly,
signal1 and signal2 are on the same 64k page.

Libspe doesn't currently use the direct mapping at all, but
it exposes the mmaped pointers to potential users. There
are two problems with applications using these:

1. The pointers are wrong, since the kernel implicitly aligns
   them to page size.

2. mapping multiple areas at once circumvents the protection
   mechanism implemented by the spufs file attributes.

For 1., we need to document how to detect that happening and libspe
needs to be changed to add an appropriate offset to the pointer
it gets from the kernel so the user gets a working result.
My understanding is that the info should be retrieved using
'sysconf(_SC_PAGESIZE);'.

For 2., the first three files are already protected with CAP_SYS_RAWIO,
so they are normally only mappable with root priviledges. For the two
signal notification registers, doing the mmap on one of them also
gives a pointer to the other. This is potentially harmful if one 
of the two registers is used for communication with a process owned
by a different user, a model that libspe currently doesn't provide.
I guess the best we can do here is document it in the libspe man page
and warn users about potential security risks there.

	Arnd <><



More information about the cbe-oss-dev mailing list