On Tue, 15 Sep 2009, Pieter de Boer wrote:
Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD
kernel that have been discovered of late, I've started looking at a way to
generically protect against the code execution possibilities of such bugs.
By disallowing userland to map pages at address 0x0 (and a bit beyond), it
is possible to make such NULL-pointer deref bugs mere DoS'es instead of code
execution bugs. Linux has implemented such a protection for a long while
now, by disallowing page mappings on 0x0 - 0xffff.
On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536
downgrades a whole class of code execution vulnerabilities to DoS
vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM.
This made at least the mmap() method to map at 0x0 fail.
FYI, changes are now going into head to implement this policy, although by
slightly different mechanisms. I expect to see them merged to various
branches, and also to active security branches (although disabled there by
default using a sysctl so as not to disturb existing setups unless desired by
the administrator).
Robert
So:
- How do you feel about disallowing such mappings to protect against
NULL-pointer deref code executions?
- Is bumping VM_MIN_ADDRESS enough to protect against all methods of
creating such mappings (on all supported platforms)?
- Are there unwanted side-effects of raising VM_MIN_ADDRESS?
- Should I file a PR to get this into FreeBSD?
Lemme know,
Pieter
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "[email protected]"
