Jonathan S. Shapiro
Sat, 12 Sep 1998 10:13:15 -0400
I botched a small detail in the implementation of capability pages.
In the fast path for capability invocation, the kernel verifies the
transmitted string (and in the small space case, the receive string)
by first performing a bounds check (on x86 this is done by using the
user mode segment register) and then doing a read operation on each
page. This works because the kernel shares the user's mapping with
the user process, and a page will only be valid in the user address
range if it is valid to the user process.
On the x86 the last point is vital, because it means we know that
there are no supervisor-only pages in the user address range.
Unfortunately, I broke this when I added capability pages. Capability
pages are mapped in the user address range, but are accessable only to
This is straightforwardly fixed -- the kernel has to run translation
by hand for capability pages anyway, and it can therefore access the
page via its kernel-mode alias. I just wanted to point it out as a
case where there can be subtle interactions in this part of the design