Re: Page fault handling within a language


On Fri, 24 Mar 2006, James Harris wrote:
<jdholzer@xxxxxxxxxxx> wrote in message
James Harris (e-mail address ignored) wrote:
Anyone seen or considered data structures that handle
their own address faults?
[...]
I can't see an OS creater ever allowing a user space process to truly
manage its own page faults. Doesn't sound like a good idea at all to
me.

Why do you object to this? Can you see a problem with it?

Here's the normal (Unix) sequence of events, as I understand it:

Process tries to access page N, which isn't mapped yet.
Hardware calls the OS's page fault handler.
OS handler allocates a new physical frame and fills it somehow.
OS handler adds the new frame to the virtual page directory.
OS handler returns to process.

AIUI, you're proposing that the sequence of events go like this:

Process tries to access page N, which isn't mapped yet.
Hardware calls the OS's page fault handler.
OS's page fault handler jumps to the user's page fault handler.
User's handler allocates a new physical frame and fills it somehow.
User's handler adds the new frame to the virtual page directory.
User's handler returns to process.

(We need to have the OS handler in there; otherwise, you couldn't
have two different processes each with their own custom page fault handler.)

Now, this method requires the user process to know about the OS's
method of allocating physical frames. That's bad. But worse, it requires the user process to be able to modify the virtual page directory.
That means that the user process is free to re-map any pages anywhere
in its virtual address space, pretty much any time it wants. And that
means that a suitably clever program can execute privileged instructions,
by changing the virtual-to-physical mapping on the pages that are supposed
to hold the kernel's own code (for system calls and so on).

So in conclusion, this is a gigantic security hole, at least AIUI.
If you're thinking of a different sequence of events above, please
explain what you're thinking of.

-Arthur
.

Relevant Pages

  • Re: WM_TIMER crash (maybe)?
    ... As a result, if a wrong handler is supplied, the message ... > Stops with either release or debug mode. ... > describing the fault is followed by a 2nd, ... I also log OnTimer entrance, exit, OnReceive ...
    (microsoft.public.vc.mfc)
  • Re: [PATCH 5/5] x86: entry_64.S - trivial: space, comments fixup
    ... -# be possible to get enough handler activations to overflow the stack. ... * popping the stack frame and so it would still ... Fault while reloading DS, ES, FS or GS ...
    (Linux-Kernel)
  • Re: [PATCH 5/5] x86: entry_64.S - trivial: space, comments fixup
    ... -# be possible to get enough handler activations to overflow the stack. ... * popping the stack frame and so it would ... Fault while reloading DS, ES, FS or GS ...
    (Linux-Kernel)
  • Re: Signal dispositions
    ... be raised because of this and the fault handler in the kernel takes ... The information available to this handler will usually be the ... 'invalid' is actually unintendend and caused by a programming error is ... more appropriate than a core dump with no warning and no restart. ...
    (comp.unix.programmer)
Loading