Matthias Drochner wrote:
Module Name: src
Committed By: drochner
Date: Thu Feb 18 14:57:01 UTC 2010
Modified Files:
src/sys/uvm: files.uvm uvm_map.c
Log Message:
Disable mapping of virtual address 0 by user programs per default.
This blocks an easy exploit of kernel bugs leading to dereference
of a NULL pointer on some architectures (eg i386).
The check can be disabled in various ways:
-by CPP definitions in machine/types.h (portmaster's choice)
-by a kernel config option USER_VA0_DISABLED_DEFAULT=0
-at runtime by sysctl vm.user_va0_disabled (cannot be cleared
at securelevel>0)
I was wondering how you achieved that without modifying any of the
secmodel code itself, and indeed--
+static int
+sysctl_user_va0_disabled(SYSCTLFN_ARGS)
+{
+ struct sysctlnode node;
+ int t, error;
+
+ node = *rnode;
+ node.sysctl_data = &t;
+ t = user_va0_disabled;
+ error = sysctl_lookup(SYSCTLFN_CALL(&node));
+ if (error || newp == NULL)
+ return (error);
+
+ /* lower only at securelevel < 1 */
+ if (!t && user_va0_disabled &&
+ kauth_authorize_system(l->l_cred,
+ KAUTH_SYSTEM_CHSYSFLAGS /* XXX */, 0,
+ NULL, NULL, NULL))
+ return EPERM;
+
+ user_va0_disabled = !!t;
+ return 0;
+}
Who's going to take care of that XXX referring to the use of an
undocumented action, meant to be used only in file-systems?
-e.
