Module Name: src Committed By: drochner Date: Thu Feb 18 14:57:01 UTC 2010
Modified Files: src/sys/uvm: files.uvm uvm_map.c Log Message: Disable mapping of virtual address 0 by user programs per default. This blocks an easy exploit of kernel bugs leading to dereference of a NULL pointer on some architectures (eg i386). The check can be disabled in various ways: -by CPP definitions in machine/types.h (portmaster's choice) -by a kernel config option USER_VA0_DISABLED_DEFAULT=0 -at runtime by sysctl vm.user_va0_disabled (cannot be cleared at securelevel>0) To generate a diff of this commit: cvs rdiff -u -r1.16 -r1.17 src/sys/uvm/files.uvm cvs rdiff -u -r1.287 -r1.288 src/sys/uvm/uvm_map.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/uvm/files.uvm diff -u src/sys/uvm/files.uvm:1.16 src/sys/uvm/files.uvm:1.17 --- src/sys/uvm/files.uvm:1.16 Wed Oct 21 21:12:07 2009 +++ src/sys/uvm/files.uvm Thu Feb 18 14:57:01 2010 @@ -1,4 +1,4 @@ -# $NetBSD: files.uvm,v 1.16 2009/10/21 21:12:07 rmind Exp $ +# $NetBSD: files.uvm,v 1.17 2010/02/18 14:57:01 drochner Exp $ # # UVM options @@ -10,6 +10,7 @@ defflag opt_ubc.h UBC_STATS defparam opt_pagermap.h PAGER_MAP_SIZE defflag PDPOLICY_CLOCKPRO +defparam USER_VA0_DISABLED_DEFAULT file uvm/uvm_amap.c file uvm/uvm_anon.c Index: src/sys/uvm/uvm_map.c diff -u src/sys/uvm/uvm_map.c:1.287 src/sys/uvm/uvm_map.c:1.288 --- src/sys/uvm/uvm_map.c:1.287 Mon Feb 8 19:02:33 2010 +++ src/sys/uvm/uvm_map.c Thu Feb 18 14:57:01 2010 @@ -1,4 +1,4 @@ -/* $NetBSD: uvm_map.c,v 1.287 2010/02/08 19:02:33 joerg Exp $ */ +/* $NetBSD: uvm_map.c,v 1.288 2010/02/18 14:57:01 drochner Exp $ */ /* * Copyright (c) 1997 Charles D. Cranor and Washington University. @@ -71,7 +71,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.287 2010/02/08 19:02:33 joerg Exp $"); +__KERNEL_RCSID(0, "$NetBSD: uvm_map.c,v 1.288 2010/02/18 14:57:01 drochner Exp $"); #include "opt_ddb.h" #include "opt_uvmhist.h" @@ -89,6 +89,11 @@ #include <sys/vnode.h> #include <sys/lockdebug.h> #include <sys/atomic.h> +#ifndef __USER_VA0_IS_SAFE +#include <sys/sysctl.h> +#include <sys/kauth.h> +#include "opt_user_va0_disabled_default.h" +#endif #ifdef SYSVSHM #include <sys/shm.h> @@ -168,6 +173,17 @@ vaddr_t uvm_maxkaddr; #endif +#ifndef __USER_VA0_IS_SAFE +#ifndef __USER_VA0_DISABLED_DEFAULT +#define __USER_VA0_DISABLED_DEFAULT 1 +#endif +#ifdef USER_VA0_DISABLED_DEFAULT /* kernel config option overrides */ +#undef __USER_VA0_DISABLED_DEFAULT +#define __USER_VA0_DISABLED_DEFAULT USER_VA0_DISABLED_DEFAULT +#endif +static int user_va0_disabled = __USER_VA0_DISABLED_DEFAULT; +#endif + /* * macros */ @@ -1174,6 +1190,12 @@ KASSERT((flags & UVM_FLAG_QUANTUM) == 0 || VM_MAP_IS_KERNEL(map)); KASSERT((size & PAGE_MASK) == 0); +#ifndef __USER_VA0_IS_SAFE + if ((flags & UVM_FLAG_FIXED) && *startp == 0 && + !VM_MAP_IS_KERNEL(map) && user_va0_disabled) + return EACCES; +#endif + /* * for pager_map, allocate the new entry first to avoid sleeping * for memory while we have the map locked. @@ -5215,3 +5237,40 @@ } #endif /* DDB || DEBUGPRINT */ + +#ifndef __USER_VA0_IS_SAFE +static int +sysctl_user_va0_disabled(SYSCTLFN_ARGS) +{ + struct sysctlnode node; + int t, error; + + node = *rnode; + node.sysctl_data = &t; + t = user_va0_disabled; + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + if (error || newp == NULL) + return (error); + + /* lower only at securelevel < 1 */ + if (!t && user_va0_disabled && + kauth_authorize_system(l->l_cred, + KAUTH_SYSTEM_CHSYSFLAGS /* XXX */, 0, + NULL, NULL, NULL)) + return EPERM; + + user_va0_disabled = !!t; + return 0; +} + +SYSCTL_SETUP(sysctl_uvmmap_setup, "sysctl uvmmap setup") +{ + + sysctl_createv(clog, 0, NULL, NULL, + CTLFLAG_PERMANENT|CTLFLAG_READWRITE, + CTLTYPE_INT, "user_va0_disabled", + SYSCTL_DESCR("Disable VA 0"), + sysctl_user_va0_disabled, 0, &user_va0_disabled, 0, + CTL_VM, CTL_CREATE, CTL_EOL); +} +#endif