Fuchsia Inside

Published: June 29, 2021

Memory Management

User page table for a process is: ArmArchVmAspace->tt_phys_

The page table allocation is in ArmArchVmAspace->Init.

The context switch code is: ContextSwitch where the tt_phys_ value is written to the ttbr0_el1.

Zircon provides zx_process_create syscall, which is implemented in sys_process_create, which calls

Zircon Handles allows user space programs to reference kernel objects.

Sharable Resource: Zircon maintains a global struct call HandleTableArena gHandleTableArena for allocating all Handles.
Limit: The arena has a limit for all live handles, specified by kMaxHandleCount, whose value is 256 * 1024. gHandleTableArena contains a member of fbl::GPArena<Handle::PreserveSize, sizeof(Handle)> arena_, whose Init allocates kMaxHandleCount * handle_size memory. If the number of live handles goes beyond the limit, Alloc will return nullptr.
Abstract Resource Attack: The attacker can consume handles to exhaust all handles in gHandleTableArena. 1) Handles are frequently-used in Zircon. Any events, processes, or threads are consuming new handles. 2) Currently we did not find any per-user limits on handles. 3) If handles are exhausted, the users cannot send events or creates any processes or threads.
Count: GPArena maintains a count_, which increments in Alloc.

Zircon supports 21 rights list.

The right data structure zx_rights_t is defined in zircon/system/public/zircon/rights.h as a uint32_t. The code is typedef uint32_t zx_rights_t.

For rights, the basic check function is the handle->HasRights. Such as in system calls zx_handle_duplicate, the basic check is used in handle_dup_replace.

The right checking has wrappers, such as GetDispatcherWithRights, which in turn calls HasRights.

Zircon supports about 150 system calls full list.

The system calls will list the rights it required.