hehe this is the "install another security layer to introduce less security" model
2009/9/15 Jon Passki <[email protected]> > 2009/9/15 Dag-Erling Smørgrav <[email protected]> > > > > Pieter de Boer <[email protected]> writes: > > > Given the amount of NULL-pointer dereference vulnerabilities in the > > > FreeBSD kernel that have been discovered of late, > > > > Specify "amount" and define "of late". > > > > > By disallowing userland to map pages at address 0x0 (and a bit beyond), > > > it is possible to make such NULL-pointer deref bugs mere DoS'es instead > > > of code execution bugs. Linux has implemented such a protection for a > > > long while now, by disallowing page mappings on 0x0 - 0xffff. > > > > Yes, that really worked out great for them: > > > > http://isc.sans.org/diary.html?storyid=6820 > > As I assume you know, one reason (not the only reason) the exploit > works is because the SELinux default policy allowed (allows?) users to > map at NULL, regardless of the protections offered by the OS (e.g. > Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux > another way by downgrading protection by going into libselinux and > uses a context such as wine_t to execute at NULL [1]. It's not that > mmap_min_addr failed (which it doesn't on some distros of Linux); it's > that other mechanisms exist that can undo the control put into place. > > Cheers, > > Jon Passki > > [1] > http://grsecurity.net/~spender/enlightenment.tgz<http://grsecurity.net/%7Espender/enlightenment.tgz>, > exploit.c, pa__init() > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected] > " > -- the sun shines for all _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"
