Miod Vallat <[email protected]> wrote: Absolutely this should be fixed.
> Shortly afterwards, in addition to fixing the overtrusting code, it was > decided never to allow mmap(2) to allow address zero to get mapped, by > never making VM_MIN_ADDRESS equal to zero (I actually argued for this > change to only be applied to platforms with shared kernel/userland > address spaces, but the party's line prevailed), which is why > VM_MIN_ADDRESS is nowadays PAGE_SIZE instead of zero. I still stand by the position that accidental *NULL dereference should not accidentally land on top of an a mapped 0 page. Not in userland and not in the kernel either. I continue to be worried by attackers who have incomplete control, but are able to trick a mmap call to map at 0, and then in the following incomplete attack hide NULL or NULL+n dereferences, before later steps which elevate to control. On the other hand, noone needs to map memory there. So blocking page 0 still makes sense.
