Re: R4000 end-of-page bug

["Stephen M. Rumble" <rumble%cs.stanford.edu@localhost>]

On Mar 7, 2009, at 5:06 AM, Frank Wille wrote:

> I have rebuilt the kernel with it, but it doesn't change much.

I imagine you'd have to rebuild the whole system with -mfix-r4000. I  
may be mistaken, but I don't think that these bugs should affect the  
kernel, since it doesn't execute code via virtual memory.

> > The EOP bug is more nefarious and may be a security vulnerability.
> > Apparently when it is triggered, the jump target address is used as
> > the exception vector.
>
> Oh, yes! That means without some hacks to the exception handler  
> (wiring down
> following pages) such an R4000 system will always be vulnerable? :|

I think it's worse than that. Since MIPS has no execute protection bit  
on pages, I think that any program could just dynamically generate a  
vulnerable page and jump to it. The kernel would never have a chance  
of protecting it.

It sucks, but I doubt anyone would use this as an untrusted, multiuser  
system.

> BTW, I asked somebody who has more experience with gcc (Gunther  
> Nikl) to do
> the alignment-modification for us. And I'm currently testing the  
> following
> patch to src/gnu/dist/gcc4/gcc/config/mips/mips.c:
[snip]
> I already recompiled the kernel and all jumps and most branches seem  
> to be
> aligned. And the kernel works! Now I'm recompiling the whole  
> userland to see
> if it makes any difference.
>
> We made this fix depend on -mfix-r4000.

Awesome! Given what I said above, I'm kind of surprised that it would  
matter for the kernel. Perhaps I was wrong.

One thing, though: I think that this bug affects branch instructions,  
too.

Steve