On Wed, Nov 04, 2009 at 02:57:59AM +0100, Claire beuserie wrote:
> Hi,
>
> On Wed, Nov 4, 2009 at 12:58 AM, Theo de Raadt <[email protected]>wrote:
>
> > 2) At least three of our developers were aware of this exploitation
> > method going back perhaps two years before than the commit, but we
> > gnashed our teeth a lot to try to find other solutions. Clever
> > cpu architectures don't have this issue because the virtual address
> > spaces are seperate, so i386/amd64 are the ones with the big impact.
> > We did think long and hard about tlb bashing page 0 everytime we
> > switch into the kernel, but it still does not look attractive from
> > a performance standpoint.
> >
>
> I'm confused.
>
> That came out a bit weird: are you saying you knew about the bug for 2 years
> but did not fix it?
Allowing a mapping at address zero is not a bug per se, but it opens a
door for other bugs to be exploited more effectively. This door has
been closed, but only after hard thinking went into how to close it.
-Otto
