1

I would like help understanding a particular aspect of meltdown.

My understanding is that the meltdown bug can be used for a userspace linux process to access kernel memory (indirectly, through a timing side channel). Listing 2 in the meltdown paper is:

1 ; rcx = kernel address
2 ; rbx = probe array
3 retry:
4 mov al, byte [rcx]
5 shl rax, 0xc
6 jz retry
7 mov rbx, qword [rbx + rax]

What I am confused about is how a "kernel address" can exist inside a userspace process. Wouldn't a userspace process have its own address space and memory mapping, different to the kernel? My expectation is that in a userspace process the address inside rcx would be translate to something other than what it would be translated to inside the kernel. Probably just an error/segmentation fault.

How is it possible for a userspace process in linux to refer to a kernel address?

forest
  • 64,616
  • 20
  • 206
  • 257
river
  • 183
  • 4

1 Answers1

5

As a performance optimization, the kernel memory was mapped within the memory space of the application. The pages are protected, but the page tables were (before KPTI) mapped in so they did not have to load them from memory on each system call. Now each system call incurs additional overhead to load the kernel page tables.

David
  • 15,814
  • 3
  • 48
  • 73
  • Thank you very much for the answer. If I can just ask if I understand this right, the kernel memory is mapped inside all user space applications but it has "read and write and execute" permission all turned off? – river Jan 08 '18 at 17:08
  • Those pages have 'supervisor' flag set, which makes them accessible only from kernel mode: https://wiki.osdev.org/Paging#Handling – domen Mar 07 '18 at 10:27