From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 14:24:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 39D3B106566B for ; Tue, 15 Sep 2009 14:24:42 +0000 (UTC) (envelope-from leccine@gmail.com) Received: from mail-bw0-f206.google.com (mail-bw0-f206.google.com [209.85.218.206]) by mx1.freebsd.org (Postfix) with ESMTP id A80CC8FC0C for ; Tue, 15 Sep 2009 14:24:41 +0000 (UTC) Received: by bwz2 with SMTP id 2so2668112bwz.43 for ; Tue, 15 Sep 2009 07:24:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=E/TUUfxzsfo4Cfa6RwAr1OAs+3dmbNg4eTLLNpGlSHw=; b=OYos6AWY+d4TwmJFSpT5mNA6ZwI83Lr1M8kIrWXqGkze3SXZJcRj6fIjqLTMo2R4cl ILIyBY/qGSrmnc4r8C/4NlTHcUf4QIgiIU6y0PePebCE8+xlb3DAeNxf82AVnBFyd9QY oWP8BTJtt11P9eAi5l2Aeb/T9r07+T3z2d0Yo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=lIzvkD18perqf26n91Pp1W3XA3KvKfyYq6lx7bf5wjcdu5oWWVueKufG/0QoPBztnL PVgodulnilSx2r/Ppgdc6mJjQbxKBGtNs1dCw3DlquOeKeXbtvgUhRvV6VX8uAd84IzV P057onyvCJGlRtW6a5LauT01LKHzIo/zqJOa4= MIME-Version: 1.0 Received: by 10.204.34.18 with SMTP id j18mr6193285bkd.38.1253024679893; Tue, 15 Sep 2009 07:24:39 -0700 (PDT) In-Reply-To: References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> Date: Tue, 15 Sep 2009 15:24:39 +0100 Message-ID: From: =?ISO-8859-1?B?SXN0duFu?= To: Jon Passki Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= , Pieter de Boer , freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 14:24:42 -0000 hehe this is the "install another security layer to introduce less security= " model 2009/9/15 Jon Passki > 2009/9/15 Dag-Erling Sm=F8rgrav > > > > Pieter de Boer writes: > > > Given the amount of NULL-pointer dereference vulnerabilities in the > > > FreeBSD kernel that have been discovered of late, > > > > Specify "amount" and define "of late". > > > > > By disallowing userland to map pages at address 0x0 (and a bit beyond= ), > > > it is possible to make such NULL-pointer deref bugs mere DoS'es inste= ad > > > of code execution bugs. Linux has implemented such a protection for a > > > long while now, by disallowing page mappings on 0x0 - 0xffff. > > > > Yes, that really worked out great for them: > > > > http://isc.sans.org/diary.html?storyid=3D6820 > > As I assume you know, one reason (not the only reason) the exploit > works is because the SELinux default policy allowed (allows?) users to > map at NULL, regardless of the protections offered by the OS (e.g. > Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux > another way by downgrading protection by going into libselinux and > uses a context such as wine_t to execute at NULL [1]. It's not that > mmap_min_addr failed (which it doesn't on some distros of Linux); it's > that other mechanisms exist that can undo the control put into place. > > Cheers, > > Jon Passki > > [1] http://grsecurity.net/~spender/enlightenment.tgz, > exploit.c, pa__init() > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g > " > --=20 the sun shines for all