On Thu, May 25, 2017 at 9:18 PM, Kevin Easton <kevin@xxxxxxxxxxx> wrote: > (If it weren't for that, maybe you could point the last entry in the PML4 > at the PML4 itself, so it also works as a PML5 for accessing kernel > addresses? And of course make sure nothing gets loaded above > 0xffffff8000000000). This was an old trick done for a very different reason: it lets you find your page tables at virtual addresses that depend only on the VA whose page table you're looking for and the top-level slot that points back to itself. IIRC Windows used to do this for its own memory management purposes. A major downside is that an arbitrary write vulnerability lets you write your own PTEs without any guesswork. --Andy
