From owner-p4-projects@FreeBSD.ORG  Sun Jul 26 09:42:51 2009
Return-Path: <owner-p4-projects@FreeBSD.ORG>
Delivered-To: p4-projects@freebsd.org
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id BF06B1065673; Sun, 26 Jul 2009 09:42:50 +0000 (UTC)
Delivered-To: perforce@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7C751106564A;
	Sun, 26 Jul 2009 09:42:50 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from cyrus.watson.org (cyrus.watson.org [65.122.17.42])
	by mx1.freebsd.org (Postfix) with ESMTP id 572998FC0A;
	Sun, 26 Jul 2009 09:42:50 +0000 (UTC)
	(envelope-from rwatson@FreeBSD.org)
Received: from fledge.watson.org (fledge.watson.org [65.122.17.41])
	by cyrus.watson.org (Postfix) with ESMTPS id E91CF46B45;
	Sun, 26 Jul 2009 05:42:49 -0400 (EDT)
Date: Sun, 26 Jul 2009 10:42:49 +0100 (BST)
From: Robert Watson <rwatson@FreeBSD.org>
X-X-Sender: robert@fledge.watson.org
To: John Baldwin <jhb@freebsd.org>
In-Reply-To: <200907240943.08676.jhb@freebsd.org>
Message-ID: <alpine.BSF.2.00.0907261041150.17422@fledge.watson.org>
References: <200907230537.n6N5bfaM064484@repoman.freebsd.org>
	<200907240943.08676.jhb@freebsd.org>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: Perforce Change Reviews <perforce@freebsd.org>,
	Jonathan Anderson <jona@freebsd.org>
Subject: Re: PERFORCE change 166430 for review
X-BeenThere: p4-projects@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: p4 projects tree changes <p4-projects.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/p4-projects>
List-Post: <mailto:p4-projects@freebsd.org>
List-Help: <mailto:p4-projects-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/p4-projects>,
	<mailto:p4-projects-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 26 Jul 2009 09:42:51 -0000

On Fri, 24 Jul 2009, John Baldwin wrote:

> On Thursday 23 July 2009 1:37:41 am Jonathan Anderson wrote:
>> http://perforce.freebsd.org/chv.cgi?CH=166430
>>
>> Change 166430 by jona@jona-trustedbsd-belle-vmware on 2009/07/23 05:36:50
>>
>> 	mmap() can fail and return MAP_FAILED, not just NULL\!
>
> MAP_FAILED is actually the only invalid pointer it will return.  This should 
> probably not be checking for NULL.

NULL is actually a valid place to map a page, and therefore can be returned by 
a successful mapping.  In fact, this has been a key requirement for exploiting 
a number of recent Linux (and one FreeBSD) kernel security vulnerabilities, in 
which a NULL function pointer is dereferenced by the kernel without properly 
checking first.  If userspace maps kernel exploit code at NULL or a suitable 
relative offset, that code will run with kernel privilege.

Robert