From owner-svn-src-all@FreeBSD.ORG Sun Sep 27 18:54:09 2009 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 987DC106568F for ; Sun, 27 Sep 2009 18:54:09 +0000 (UTC) (envelope-from julian@elischer.org) Received: from outX.internet-mail-service.net (outx.internet-mail-service.net [216.240.47.247]) by mx1.freebsd.org (Postfix) with ESMTP id 7D1E08FC1E for ; Sun, 27 Sep 2009 18:54:09 +0000 (UTC) Received: from idiom.com (mx0.idiom.com [216.240.32.160]) by out.internet-mail-service.net (Postfix) with ESMTP id 53789B998C; Sun, 27 Sep 2009 11:54:12 -0700 (PDT) X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e X-Client-Authorized: MaGic Cook1e Received: from julian-mac.elischer.org (home.elischer.org [216.240.48.38]) by idiom.com (Postfix) with ESMTP id C0F0B2D6017; Sun, 27 Sep 2009 11:54:08 -0700 (PDT) Message-ID: <4ABFB4D1.5070505@elischer.org> Date: Sun, 27 Sep 2009 11:54:09 -0700 From: Julian Elischer User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: "Simon L. Nielsen" References: <200909271449.n8REnpUX027608@svn.freebsd.org> In-Reply-To: <200909271449.n8REnpUX027608@svn.freebsd.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: svn-src-head@freebsd.org, svn-src-all@freebsd.org, src-committers@freebsd.org Subject: Re: svn commit: r197537 - head/sys/vm X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Sep 2009 18:54:09 -0000 Simon L. Nielsen wrote: > Author: simon > Date: Sun Sep 27 14:49:51 2009 > New Revision: 197537 > URL: http://svn.freebsd.org/changeset/base/197537 > > Log: > Do not allow mmap with the MAP_FIXED argument to map at address zero. > This is done to make it harder to exploit kernel NULL pointer security > vulnerabilities. While this of course does not fix vulnerabilities, > it does mitigate their impact. > > Note that this may break some applications, most likely emulators or > similar, which for one reason or another require mapping memory at > zero. If you are going to take this approach then it shuel be enabled by a bit in the inherrited process permissions, with a toll to set it, like: map0 {command} where command could be something like "wine". use setfib or nice as a template for the tool. this way only processes that need it are affected. > > This restriction can be disabled with the security.bsd.mmap_zero > sysctl variable. > > Discussed with: rwatson, bz > Tested by: bz (Wine), simon (VirtualBox) > Submitted by: jhb > > Modified: > head/sys/vm/vm_mmap.c > > Modified: head/sys/vm/vm_mmap.c > ============================================================================== > --- head/sys/vm/vm_mmap.c Sun Sep 27 14:00:16 2009 (r197536) > +++ head/sys/vm/vm_mmap.c Sun Sep 27 14:49:51 2009 (r197537) > @@ -97,6 +97,14 @@ SYSCTL_INT(_vm, OID_AUTO, max_proc_mmap, > "Maximum number of memory-mapped files per process"); > > /* > + * 'mmap_zero' determines whether or not MAP_FIXED mmap() requests for > + * virtual address zero are permitted. > + */ > +static int mmap_zero; > +SYSCTL_INT(_security_bsd, OID_AUTO, mmap_zero, CTLFLAG_RW, &mmap_zero, 0, > + "Processes may map an object at virtual address zero"); > + > +/* > * Set the maximum number of vm_map_entry structures per process. Roughly > * speaking vm_map_entry structures are tiny, so allowing them to eat 1/100 > * of our KVM malloc space still results in generous limits. We want a > @@ -229,7 +237,8 @@ mmap(td, uap) > pos = uap->pos; > > fp = NULL; > - /* make sure mapping fits into numeric range etc */ > + > + /* Make sure mapping fits into numeric range, etc. */ > if ((uap->len == 0 && !SV_CURPROC_FLAG(SV_AOUT) && > curproc->p_osrel >= 800104) || > ((flags & MAP_ANON) && uap->fd != -1)) > @@ -267,6 +276,14 @@ mmap(td, uap) > addr -= pageoff; > if (addr & PAGE_MASK) > return (EINVAL); > + > + /* > + * Mapping to address zero is only permitted if > + * mmap_zero is enabled. > + */ > + if (addr == 0 && !mmap_zero) > + return (EINVAL); > + > /* Address range must be all in user VM space. */ > if (addr < vm_map_min(&vms->vm_map) || > addr + size > vm_map_max(&vms->vm_map))