Re: Protecting against kernel NULL-pointer derefs

Dag-Erling Sm繪rgrav wrote:

>> Given the amount of NULL-pointer dereference vulnerabilities in the
>> FreeBSD kernel that have been discovered of late,
> Specify "amount" and define "of late".
'amount' => 2, 'of late' is more figure of speech than anything else. 
For me, amount was high enough to get interested and 'of late' may be 
because I've not been looking long enough.

>> By disallowing userland to map pages at address 0x0 (and a bit beyond),
>> it is possible to make such NULL-pointer deref bugs mere DoS'es instead
>> of code execution bugs. Linux has implemented such a protection for a
>> long while now, by disallowing page mappings on 0x0 - 0xffff.
> 
> Yes, that really worked out great for them:
> 
> http://isc.sans.org/diary.html?storyid=6820
I was aware of that issue, and was expecting your comment as well. While 
SELinux (and iirc SysV compatibility) effectively killed the "don't map 
at 0x0" feature, that does not mean such a feature is useless in of 
itself. If it is possible to attain a high enough level of confidence 
that such a feature would actually work, without negative side-effects, 
I feel that it would be beneficial to FreeBSD.

I'd be interested in hearing your and other's opinions, specifically on 
the topics my original questions hinted at.

-- 
Pieter
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"