From 99e4bedb74069db08f51c16eef680384d89a2d6e Mon Sep 17 00:00:00 2001 From: Achilleas Anagnostopoulos Date: Wed, 31 May 2017 14:09:16 +0100 Subject: [PATCH] Recursively map last P4 entry to itself This allows us to use specially-crafted virtual memory addresses to remove indirection levels and access the actual page table entries. --- arch/x86_64/asm/rt0_32.s | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/arch/x86_64/asm/rt0_32.s b/arch/x86_64/asm/rt0_32.s index b07a0e1..4e6fc3f 100644 --- a/arch/x86_64/asm/rt0_32.s +++ b/arch/x86_64/asm/rt0_32.s @@ -247,6 +247,12 @@ _rt0_populate_initial_page_tables: or eax, PAGE_PRESENT | PAGE_WRITABLE mov ebx, page_table_l4 - PAGE_OFFSET mov [ebx], eax + + ; Recursively map the last P4 entry to itself. This allows us to use + ; specially crafted memory addresses to access the page tables themselves + mov ecx, ebx + or ecx, PAGE_PRESENT | PAGE_WRITABLE + mov [ebx + 511*8], ecx ; Also map the addresses starting at PAGE_OFFSET to the same P3 table. ; To find the P4 index for PAGE_OFFSET we need to extract bits 39-47