Date: Mon, 27 Jul 2009 08:43:13 -0400 From: John Baldwin <jhb@freebsd.org> To: Robert Watson <rwatson@freebsd.org> Cc: Perforce Change Reviews <perforce@freebsd.org>, Jonathan Anderson <jona@freebsd.org> Subject: Re: PERFORCE change 166430 for review Message-ID: <200907270843.13699.jhb@freebsd.org> In-Reply-To: <alpine.BSF.2.00.0907261041150.17422@fledge.watson.org> References: <200907230537.n6N5bfaM064484@repoman.freebsd.org> <200907240943.08676.jhb@freebsd.org> <alpine.BSF.2.00.0907261041150.17422@fledge.watson.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sunday 26 July 2009 5:42:49 am Robert Watson wrote: > On Fri, 24 Jul 2009, John Baldwin wrote: > > > On Thursday 23 July 2009 1:37:41 am Jonathan Anderson wrote: > >> http://perforce.freebsd.org/chv.cgi?CH=166430 > >> > >> Change 166430 by jona@jona-trustedbsd-belle-vmware on 2009/07/23 05:36:50 > >> > >> mmap() can fail and return MAP_FAILED, not just NULL\! > > > > MAP_FAILED is actually the only invalid pointer it will return. This should > > probably not be checking for NULL. > > NULL is actually a valid place to map a page, and therefore can be returned by > a successful mapping. In fact, this has been a key requirement for exploiting > a number of recent Linux (and one FreeBSD) kernel security vulnerabilities, in > which a NULL function pointer is dereferenced by the kernel without properly > checking first. If userspace maps kernel exploit code at NULL or a suitable > relative offset, that code will run with kernel privilege. Ah, I did not realize the NULL check was a security check rather than a correctness check. -- John Baldwin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200907270843.13699.jhb>