Date: Tue, 15 Sep 2009 15:24:39 +0100 From: =?ISO-8859-1?B?SXN0duFu?= <leccine@gmail.com> To: Jon Passki <jon@passki.us> Cc: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no>, Pieter de Boer <pieter@thedarkside.nl>, freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs Message-ID: <b8592ed80909150724t31327e4ud25c64f2e17e3d74@mail.gmail.com> In-Reply-To: <ece944060909150658u24f2f93aycf9a9d6b829f5a33@mail.gmail.com> References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> <ece944060909150658u24f2f93aycf9a9d6b829f5a33@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
hehe this is the "install another security layer to introduce less security= " model 2009/9/15 Jon Passki <jon@passki.us> > 2009/9/15 Dag-Erling Sm=F8rgrav <des@des.no> > > > > Pieter de Boer <pieter@thedarkside.nl> writes: > > > Given the amount of NULL-pointer dereference vulnerabilities in the > > > FreeBSD kernel that have been discovered of late, > > > > Specify "amount" and define "of late". > > > > > By disallowing userland to map pages at address 0x0 (and a bit beyond= ), > > > it is possible to make such NULL-pointer deref bugs mere DoS'es inste= ad > > > of code execution bugs. Linux has implemented such a protection for a > > > long while now, by disallowing page mappings on 0x0 - 0xffff. > > > > Yes, that really worked out great for them: > > > > http://isc.sans.org/diary.html?storyid=3D6820 > > As I assume you know, one reason (not the only reason) the exploit > works is because the SELinux default policy allowed (allows?) users to > map at NULL, regardless of the protections offered by the OS (e.g. > Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux > another way by downgrading protection by going into libselinux and > uses a context such as wine_t to execute at NULL [1]. It's not that > mmap_min_addr failed (which it doesn't on some distros of Linux); it's > that other mechanisms exist that can undo the control put into place. > > Cheers, > > Jon Passki > > [1] http://grsecurity.net/~spender/enlightenment.tgz<http://grsecurity.ne= t/%7Espender/enlightenment.tgz>, > exploit.c, pa__init() > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > --=20 the sun shines for all
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b8592ed80909150724t31327e4ud25c64f2e17e3d74>