From owner-freebsd-security@FreeBSD.ORG Sun Sep 27 18:39:13 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B270D1065672 for ; Sun, 27 Sep 2009 18:39:13 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42]) by mx1.freebsd.org (Postfix) with ESMTP id 87B3F8FC13 for ; Sun, 27 Sep 2009 18:39:13 +0000 (UTC) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by cyrus.watson.org (Postfix) with ESMTPS id 2424946B03; Sun, 27 Sep 2009 14:39:13 -0400 (EDT) Date: Sun, 27 Sep 2009 19:39:13 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: Pieter de Boer In-Reply-To: <4AAF4A64.3080906@thedarkside.nl> Message-ID: References: <4AAF4A64.3080906@thedarkside.nl> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Sep 2009 18:39:13 -0000 On Tue, 15 Sep 2009, Pieter de Boer wrote: > Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD > kernel that have been discovered of late, I've started looking at a way to > generically protect against the code execution possibilities of such bugs. > > By disallowing userland to map pages at address 0x0 (and a bit beyond), it > is possible to make such NULL-pointer deref bugs mere DoS'es instead of code > execution bugs. Linux has implemented such a protection for a long while > now, by disallowing page mappings on 0x0 - 0xffff. > > On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 > downgrades a whole class of code execution vulnerabilities to DoS > vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. > This made at least the mmap() method to map at 0x0 fail. FYI, changes are now going into head to implement this policy, although by slightly different mechanisms. I expect to see them merged to various branches, and also to active security branches (although disabled there by default using a sysctl so as not to disturb existing setups unless desired by the administrator). Robert > > So: > - How do you feel about disallowing such mappings to protect against > NULL-pointer deref code executions? > - Is bumping VM_MIN_ADDRESS enough to protect against all methods of > creating such mappings (on all supported platforms)? > - Are there unwanted side-effects of raising VM_MIN_ADDRESS? > - Should I file a PR to get this into FreeBSD? > > Lemme know, > Pieter > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >