From owner-freebsd-security@FreeBSD.ORG  Tue Sep 15 08:03:49 2009
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 6E6BE106566C
	for <freebsd-security@freebsd.org>;
	Tue, 15 Sep 2009 08:03:49 +0000 (UTC)
	(envelope-from pieter@thedarkside.nl)
Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net
	[IPv6:2001:7b8:2ff:5b::2])
	by mx1.freebsd.org (Postfix) with ESMTP id 3B3708FC19
	for <freebsd-security@freebsd.org>;
	Tue, 15 Sep 2009 08:03:49 +0000 (UTC)
Received: from [88.159.10.42] (unknown [88.159.10.42])
	by mail.thelostparadise.com (Postfix) with ESMTP id 69EE561C4B
	for <freebsd-security@freebsd.org>;
	Tue, 15 Sep 2009 10:03:48 +0200 (CEST)
Message-ID: <4AAF4A64.3080906@thedarkside.nl>
Date: Tue, 15 Sep 2009 10:03:48 +0200
From: Pieter de Boer <pieter@thedarkside.nl>
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Protecting against kernel NULL-pointer derefs
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Sep 2009 08:03:49 -0000

All,

Given the amount of NULL-pointer dereference vulnerabilities in the
FreeBSD kernel that have been discovered of late, I've started looking
at a way to generically protect against the code execution possibilities
of such bugs.

By disallowing userland to map pages at address 0x0 (and a bit beyond),
it is possible to make such NULL-pointer deref bugs mere DoS'es instead
of code execution bugs. Linux has implemented such a protection for a
long while now, by disallowing page mappings on 0x0 - 0xffff.

On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536
downgrades a whole class of code execution vulnerabilities to DoS
vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386
VM. This made at least the mmap() method to map at 0x0 fail.

So:
- How do you feel about disallowing such mappings to protect against
NULL-pointer deref code executions?
- Is bumping VM_MIN_ADDRESS enough to protect against all methods of
creating such mappings (on all supported platforms)?
- Are there unwanted side-effects of raising VM_MIN_ADDRESS?
- Should I file a PR to get this into FreeBSD?

Lemme know,
Pieter