From owner-svn-src-all@FreeBSD.ORG Sun Sep 27 14:49:53 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 00CC31065679; Sun, 27 Sep 2009 14:49:53 +0000 (UTC) (envelope-from simon@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id E32828FC14; Sun, 27 Sep 2009 14:49:52 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id n8REnpUG027610; Sun, 27 Sep 2009 14:49:51 GMT (envelope-from simon@svn.freebsd.org) Received: (from simon@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id n8REnpUX027608; Sun, 27 Sep 2009 14:49:51 GMT (envelope-from simon@svn.freebsd.org) Message-Id: <200909271449.n8REnpUX027608@svn.freebsd.org> From: "Simon L. Nielsen" Date: Sun, 27 Sep 2009 14:49:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r197537 - head/sys/vm X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Sep 2009 14:49:53 -0000 Author: simon Date: Sun Sep 27 14:49:51 2009 New Revision: 197537 URL: http://svn.freebsd.org/changeset/base/197537 Log: Do not allow mmap with the MAP_FIXED argument to map at address zero. This is done to make it harder to exploit kernel NULL pointer security vulnerabilities. While this of course does not fix vulnerabilities, it does mitigate their impact. Note that this may break some applications, most likely emulators or similar, which for one reason or another require mapping memory at zero. This restriction can be disabled with the security.bsd.mmap_zero sysctl variable. Discussed with: rwatson, bz Tested by: bz (Wine), simon (VirtualBox) Submitted by: jhb Modified: head/sys/vm/vm_mmap.c Modified: head/sys/vm/vm_mmap.c ============================================================================== --- head/sys/vm/vm_mmap.c Sun Sep 27 14:00:16 2009 (r197536) +++ head/sys/vm/vm_mmap.c Sun Sep 27 14:49:51 2009 (r197537) @@ -97,6 +97,14 @@ SYSCTL_INT(_vm, OID_AUTO, max_proc_mmap, "Maximum number of memory-mapped files per process"); /* + * 'mmap_zero' determines whether or not MAP_FIXED mmap() requests for + * virtual address zero are permitted. + */ +static int mmap_zero; +SYSCTL_INT(_security_bsd, OID_AUTO, mmap_zero, CTLFLAG_RW, &mmap_zero, 0, + "Processes may map an object at virtual address zero"); + +/* * Set the maximum number of vm_map_entry structures per process. Roughly * speaking vm_map_entry structures are tiny, so allowing them to eat 1/100 * of our KVM malloc space still results in generous limits. We want a @@ -229,7 +237,8 @@ mmap(td, uap) pos = uap->pos; fp = NULL; - /* make sure mapping fits into numeric range etc */ + + /* Make sure mapping fits into numeric range, etc. */ if ((uap->len == 0 && !SV_CURPROC_FLAG(SV_AOUT) && curproc->p_osrel >= 800104) || ((flags & MAP_ANON) && uap->fd != -1)) @@ -267,6 +276,14 @@ mmap(td, uap) addr -= pageoff; if (addr & PAGE_MASK) return (EINVAL); + + /* + * Mapping to address zero is only permitted if + * mmap_zero is enabled. + */ + if (addr == 0 && !mmap_zero) + return (EINVAL); + /* Address range must be all in user VM space. */ if (addr < vm_map_min(&vms->vm_map) || addr + size > vm_map_max(&vms->vm_map))