Date: Sun, 27 Sep 2009 19:39:13 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: Pieter de Boer <pieter@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs Message-ID: <alpine.BSF.2.00.0909271937490.41451@fledge.watson.org> In-Reply-To: <4AAF4A64.3080906@thedarkside.nl> References: <4AAF4A64.3080906@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 15 Sep 2009, Pieter de Boer wrote: > Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD > kernel that have been discovered of late, I've started looking at a way to > generically protect against the code execution possibilities of such bugs. > > By disallowing userland to map pages at address 0x0 (and a bit beyond), it > is possible to make such NULL-pointer deref bugs mere DoS'es instead of code > execution bugs. Linux has implemented such a protection for a long while > now, by disallowing page mappings on 0x0 - 0xffff. > > On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 > downgrades a whole class of code execution vulnerabilities to DoS > vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. > This made at least the mmap() method to map at 0x0 fail. FYI, changes are now going into head to implement this policy, although by slightly different mechanisms. I expect to see them merged to various branches, and also to active security branches (although disabled there by default using a sysctl so as not to disturb existing setups unless desired by the administrator). Robert > > So: > - How do you feel about disallowing such mappings to protect against > NULL-pointer deref code executions? > - Is bumping VM_MIN_ADDRESS enough to protect against all methods of > creating such mappings (on all supported platforms)? > - Are there unwanted side-effects of raising VM_MIN_ADDRESS? > - Should I file a PR to get this into FreeBSD? > > Lemme know, > Pieter > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0909271937490.41451>