Xtensa: dup_table duplicates the pinned PTEVADDR entry #71633

ldmstm · 2024-04-18T02:21:29Z

The page table duplication routine in the current Xtensa implementation dup_table only skips copying and allocating L2 page tables when it detects a PTE as "illegal" (attributes 12 or 14), however it should also skip this when the index is the same as the one for the kernel ptables pinned virtual address, ie the entry that maps CONFIG_XTENSA_MMU_PTEVADDR.

Doing this copy wastes an entire 4k of memory and could potentially be a security issue, as it's copying the L1 table as an L2 page table.

Expected behavior
The code should entirely skip the entry that matches CONFIG_XTENSA_MMU_PTEVADDR and mark it as unmapped when duplicating the table.

Impact
Wasted memory, potential security issue.

Additional context
Xtensa platform with MMU and userspace enabled

The text was updated successfully, but these errors were encountered:

github-actions · 2024-04-18T02:22:11Z

Hi @ldmstm! We appreciate you submitting your first issue for our open-source project. 🌟

Even though I'm a bot, I can assure you that the whole community is genuinely grateful for your time and effort. 🤖💙

ceolin · 2024-04-23T22:10:39Z

Not clear what is the problem here, we indeed map the physical memory for all page tables, but we don't map the virtual address for the page table [CONFIG_XTENSA_MMU_PTEVADDR + 4MB], we just pin the l1 page for this area and the auto refill does the rest.

ldmstm · 2024-04-24T13:11:49Z

In the dup_tables routine it believes this entry you place at XTENSA_MMU_L1_POS(CONFIG_XTENSA_MMU_PTEVADDR) during kernel startup is a valid L1 page table entry to a different L2 page table, when in reality it's just itself.

When duplicating it, this causes memory to be mapped at CONFIG_XTENSA_MMU_PTEVADDR for other memory domains, when in reality we only want the mapping at the 4MB * user_asid offset

ceolin · 2024-04-24T17:56:16Z

XTENSA_MMU_L1_POS

I think I got what you mean, it is confuse because we don't map the page itself until it is used, so if I understood correctly, we can do:

		if (is_pte_illegal(source_table[i]) || (i == XTENSA_MMU_L1_POS(XTENSA_MMU_PTEVADDR))) {
			dst_table[i] = XTENSA_MMU_PTE_ILLEGAL;
			continue;
		}

I can't see a security issue because it is mapped as using kernel ring and the whole page table (physical memory) is already mapped, but indeed we can save memory doing it :)

ldmstm · 2024-04-24T18:27:51Z

Looks perfect to me, a whole 4k saved per memory domain.

Thanks!

ldmstm added the bug The issue is a bug, or the PR is fixing a bug label Apr 18, 2024

henrikbrixandersen added the area: Xtensa Xtensa Architecture label Apr 21, 2024

zephyrbot assigned dcpleung Apr 21, 2024

nashif added the priority: medium Medium impact/importance bug label Apr 23, 2024

ceolin linked a pull request Apr 24, 2024 that will close this issue

xtensa: mmu: Avoid unnecessary mapping #71894

Merged

dcpleung assigned ceolin and unassigned dcpleung Apr 24, 2024

jhedberg closed this as completed in #71894 Apr 27, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Xtensa: dup_table duplicates the pinned PTEVADDR entry #71633

Xtensa: dup_table duplicates the pinned PTEVADDR entry #71633

ldmstm commented Apr 18, 2024

github-actions bot commented Apr 18, 2024

ceolin commented Apr 23, 2024

ldmstm commented Apr 24, 2024

ceolin commented Apr 24, 2024

ldmstm commented Apr 24, 2024

Xtensa: dup_table duplicates the pinned PTEVADDR entry #71633

Xtensa: dup_table duplicates the pinned PTEVADDR entry #71633

Comments

ldmstm commented Apr 18, 2024

github-actions bot commented Apr 18, 2024

ceolin commented Apr 23, 2024

ldmstm commented Apr 24, 2024

ceolin commented Apr 24, 2024

ldmstm commented Apr 24, 2024