> On Jan 5, 2018, at 11:10 AM, Borislav Petkov <b...@alien8.de> wrote: > >> On Fri, Jan 05, 2018 at 10:45:49AM -0800, Andy Lutomirski wrote: >> Not _PAGE_RW. Probably _PAGE_USER somewhere in the hierarchy. > > Yeah, just realized that. But it must be somewhere in the PT hierarchy > because: > > 0xffffffffff600000-0xffffffffff601000 4K USR ro > NX pte > > So something up needs to take _PAGE_USER too. > > But WTF does it say NX there for and still can execute the vsyscall > test? Oh boy, what a mess... >
It's emulated! We catch the page fault and fake the whole thing :) > -- > Regards/Gruss, > Boris. > > Good mailing practices for 400: avoid top-posting and trim the reply.
