On Sat, Jul 30, 2016 at 11:12:57AM +0200, Maxime Villard wrote: > You know - as well as I do - that NULL pointer dereferences are quite > common, > and that it is the main way to execute malicious code in kernel mode.
Sorry, but you are not making your point very clear, please try to explain in more details! Many people are more familiar with sane architectures where userland and kernel do not share any VA mappings. Now what I understood is you worry about shared VA architectures like x86, where the 0 page is not usually mapped by the kernel for netbsd binaries. But the code trying to prevent a userland mmap() call to map a page at VA 0 is buggy, and the userland code could even trick the kernel into mapping at that VA with exec permissions. This is all unrelated (I think, but am not sure) to all other uses of the 0 VA page by emulation or architecture specific code (i.e. the arm case mentioned). It is also slightly unrelated to the Wine case, where VA 0 is explicitly requested (and either denied or granted depending on the sysctl), since fixing the bug would still allow an explicit VA 0 mapping if allowed and granted. Did I understand that correct? Martin
