git: kernel - Intel user/kernel separation MMU bug fix part 1/3

Matthew Dillon dillon at
Fri Jan 5 10:23:26 PST 2018

commit 4611d87f91be625f8ef4c7ea2709b86abe035b65
Author: Matthew Dillon <dillon at>
Date:   Wed Jan 3 12:45:17 2018 -0800

    kernel - Intel user/kernel separation MMU bug fix part 1/3
    * Part 1/3 of the fix for the Intel user/kernel separation MMU bug.
      It appears that it is possible to discern the contents of kernel
      memory with careful timing measurements of instructions due to
      speculative memory reads and speculative instruction execution
      by Intel cpus.  This can happen because Intel will allow both to
      occur even when the memory access is later disallowed due to
      privilege separation in the PTE.
      Even though the execution is always aborted, the speculative
      reads and speculative execution results in timing artifacts which
      can be measured.  A speculative compare/branch can lead to timing
      artifacts that allow the actual contents of kernel memory to be
      While there are multiple speculative attacks possible, the Intel
      bug is particularly bad because it allows a user program to more
      or less effortlessly access kernel memory (and if a DMAP is
      present, all of physical memory).
    * Part 1 implements all the logic required to load an 'isolated'
      version of the user process's PML4e into %cr3 on all user
      transitions, and to load the 'normal' U+K version into %cr3 on
      all transitions from user to kernel.
    * Part 1 fully allocates, copies, and implements the %cr3 loads for
      the 'isolated' version of the user process PML4e.
    * Part 1 does not yet actually adjust the contents of this isolated
      version to replace the kernel map with just a trampoline map in
      kernel space.  It does remove the DMAP as a test, though.  The
      full separation will be done in part 3.

Summary of changes:
 sys/cpu/x86_64/include/asmacros.h      | 237 +++++++++++++++++++++++++++++++--
 sys/cpu/x86_64/include/frame.h         |  12 ++
 sys/platform/pc64/apic/apic_vector.s   |  34 +++--
 sys/platform/pc64/icu/icu_vector.s     |   2 +-
 sys/platform/pc64/include/globaldata.h |  24 ++--
 sys/platform/pc64/include/pcb.h        |  14 +-
 sys/platform/pc64/include/pmap.h       |   2 +
 sys/platform/pc64/x86_64/exception.S   | 214 ++++++++---------------------
 sys/platform/pc64/x86_64/genassym.c    |  20 ++-
 sys/platform/pc64/x86_64/global.s      |   9 +-
 sys/platform/pc64/x86_64/ipl.s         |   2 +-
 sys/platform/pc64/x86_64/machdep.c     |  14 +-
 sys/platform/pc64/x86_64/mp_machdep.c  |   8 +-
 sys/platform/pc64/x86_64/msi_vector.s  |   2 +-
 sys/platform/pc64/x86_64/pmap.c        | 173 +++++++++++++++++++-----
 sys/platform/pc64/x86_64/swtch.s       |  40 +++---
 sys/platform/pc64/x86_64/vm_machdep.c  |  13 +-
 17 files changed, 551 insertions(+), 269 deletions(-)

DragonFly BSD source repository

More information about the Commits mailing list