Quotes of the week
Quotes of the week
Posted Jun 14, 2012 12:32 UTC (Thu) by nevets (subscriber, #11875)In reply to: Quotes of the week by Felix.Braun
Parent article: Quotes of the week
Also the kernel needs to create a page descriptor for every page of RAM. This page table must always be present and takes up that 885 megs. When you have a lot of RAM, this table grows, but the total access does not. It's like raising taxes on people on social security or other fixed income.
All kernel related operations take place in that 885 megs. Even if you have 2Gigs or 4Gigs of RAM, the kernel does not use any more. If the kernel needs to do any operations on the memory outside this range, (besides copy_from_user) it must map that page into its own address space (where the extra 100 megs are used for). This slows down the kernel and the system in general.
For systems with 2, 4, or possibly even 8Gigs, the kernel is still remarkably efficient in doing this, but it still has its cost. When you go above 8gigs, now you are just asking for trouble. I may have been a bit extreme when saying anything over 1Gig should produce that message. But it definitely should say it for over 8G (and possible just over 4).
Read Documentation/vm/highmem.txt for more information.
Posted Jun 14, 2012 13:02 UTC (Thu)
by nevets (subscriber, #11875)
[Link]
> This page table must always be present and takes up that 885 megs
I meant to say "takes up part of that 885 megs", the way I wrote it, it looks like it takes it all up. But with a big enough amount of RAM, it could.
Posted Jun 14, 2012 13:14 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (6 responses)
Posted Jun 14, 2012 14:19 UTC (Thu)
by nevets (subscriber, #11875)
[Link] (5 responses)
If you're going to modify the kernel, might as well just install x86_64 instead.
> an area where amd64 is worse is security due to the lack of segmentation, the baby went with the bathwater unfortunately
Bah! Linux never bother with much of the segmentation crap that i386 uses to begin with. Sure, it separates userspace from kernel space, but it does nothing to protect one task from another. Page tables are used for that purpose.
Show me one security errata that was the result of removing segmentation from x86. And I mean for Linux.
Posted Jun 14, 2012 15:39 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (4 responses)
it's an existing kernel config option, nothing needs to be modified.
> Linux never bother with much of the segmentation crap that i386 uses to begin with.
pre 2.0 (iirc) task switching? set_fs()? TLS? ;)
> Sure, it separates userspace from kernel space,
nope, (vanilla) linux uses flat segments, there's no separation at the segment level.
> but it does nothing to protect one task from another. Page tables are used for that purpose.
true but what's that matter here? ;)
> Show me one security errata that was the result of removing segmentation from x86. And I mean for Linux.
every single kernel-dereferences-unintended-userland-pointer bug (something that UDEREF in PaX protects against if you want to see how it's done properly). and asking for actual security errata when the declared policy from high up is to actively suppress them is... too funny if it wasn't so sad at the same time :P. in any case, http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=linux+ker... should get you started.
Posted Jun 14, 2012 16:11 UTC (Thu)
by nevets (subscriber, #11875)
[Link] (3 responses)
> it's an existing kernel config option, nothing needs to be modified.
Modifying config options does modify the kernel. Do you need to recompile?
> pre 2.0 (iirc) task switching? set_fs()? TLS? ;)
I started working with 2.0, so I should never had said 'never' ;-)
Yeah, I knew about TLS, that's why I said 'much of segmentation', instead of saying 'any of segmentation'.
> nope, (vanilla) linux uses flat segments, there's no separation at the segment level.
Ah sorry, was thinking that it did. It's been a while since I've actually worked with segments. I know the kernel was not limited against accessing userspace, but I was thinking that userspace had the added protection of segments to protect against accessing the kernel.
> when the declared policy from high up is to actively suppress them is... too funny if it wasn't so sad at the same time
Are you saying that since Linux uses a flat segment space that the bugs happen for both i386 and x86_64?
Posted Jun 14, 2012 16:23 UTC (Thu)
by PaXTeam (guest, #24616)
[Link] (2 responses)
i think for most people (esp. kernel devs) modify = patch, and not 'reconfigure'. but for all i care, i got the point across :).
> but I was thinking that userspace had the added protection of segments to protect against accessing the kernel.
even if the default segments were set up this way, there's modify_ldt and TLS to get around them.
> Are you saying that since Linux uses a flat segment space that the bugs happen for both i386 and x86_64?
yes (if 'happen' = 'are exploitable'). UDEREF on i386 uses segmentation to prevent exactly this class of bugs from becoming exploitable beyond DoS.
Posted Jun 14, 2012 16:38 UTC (Thu)
by nevets (subscriber, #11875)
[Link] (1 responses)
Which goes back to my original point. Why run vanilla Linux i386 on x86_64. It's better to just run x86_64 kernel with a i386 userspace, then an i386 kernel if you have extended RAM.
Posted Jun 14, 2012 18:11 UTC (Thu)
by PaXTeam (guest, #24616)
[Link]
Quotes of the week
Quotes of the week
Quotes of the week
Quotes of the week
Quotes of the week
Quotes of the week
Quotes of the week
Quotes of the week