Re: Protecting against kernel NULL-pointer derefs
On Tue, 15 Sep 2009, Pieter de Boer wrote:
> Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD
> kernel that have been discovered of late, I've started looking at a way to
> generically protect against the code execution possibilities of such bugs.
>
> By disallowing userland to map pages at address 0x0 (and a bit beyond), it
> is possible to make such NULL-pointer deref bugs mere DoS'es instead of code
> execution bugs. Linux has implemented such a protection for a long while
> now, by disallowing page mappings on 0x0 - 0xffff.
>
> On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536
> downgrades a whole class of code execution vulnerabilities to DoS
> vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM.
> This made at least the mmap() method to map at 0x0 fail.
FYI, changes are now going into head to implement this policy, although by
slightly different mechanisms. I expect to see them merged to various
branches, and also to active security branches (although disabled there by
default using a sysctl so as not to disturb existing setups unless desired by
the administrator).
Robert
>
> So:
> - How do you feel about disallowing such mappings to protect against
> NULL-pointer deref code executions?
> - Is bumping VM_MIN_ADDRESS enough to protect against all methods of
> creating such mappings (on all supported platforms)?
> - Are there unwanted side-effects of raising VM_MIN_ADDRESS?
> - Should I file a PR to get this into FreeBSD?
>
> Lemme know,
> Pieter
>
>
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 20 之 22 篇):