Date: Tue, 15 Sep 2009 10:03:48 +0200 From: Pieter de Boer <pieter@thedarkside.nl> To: freebsd-security@freebsd.org Subject: Protecting against kernel NULL-pointer derefs Message-ID: <4AAF4A64.3080906@thedarkside.nl>
next in thread | raw e-mail | index | archive | help
All, Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD kernel that have been discovered of late, I've started looking at a way to generically protect against the code execution possibilities of such bugs. By disallowing userland to map pages at address 0x0 (and a bit beyond), it is possible to make such NULL-pointer deref bugs mere DoS'es instead of code execution bugs. Linux has implemented such a protection for a long while now, by disallowing page mappings on 0x0 - 0xffff. On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 downgrades a whole class of code execution vulnerabilities to DoS vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. This made at least the mmap() method to map at 0x0 fail. So: - How do you feel about disallowing such mappings to protect against NULL-pointer deref code executions? - Is bumping VM_MIN_ADDRESS enough to protect against all methods of creating such mappings (on all supported platforms)? - Are there unwanted side-effects of raising VM_MIN_ADDRESS? - Should I file a PR to get this into FreeBSD? Lemme know, Pieter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AAF4A64.3080906>