Protecting against kernel NULL-pointer derefs
Pieter de Boer
pieter at thedarkside.nl
Tue Sep 15 08:03:49 UTC 2009
All,
Given the amount of NULL-pointer dereference vulnerabilities in the
FreeBSD kernel that have been discovered of late, I've started looking
at a way to generically protect against the code execution possibilities
of such bugs.
By disallowing userland to map pages at address 0x0 (and a bit beyond),
it is possible to make such NULL-pointer deref bugs mere DoS'es instead
of code execution bugs. Linux has implemented such a protection for a
long while now, by disallowing page mappings on 0x0 - 0xffff.
On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536
downgrades a whole class of code execution vulnerabilities to DoS
vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386
VM. This made at least the mmap() method to map at 0x0 fail.
So:
- How do you feel about disallowing such mappings to protect against
NULL-pointer deref code executions?
- Is bumping VM_MIN_ADDRESS enough to protect against all methods of
creating such mappings (on all supported platforms)?
- Are there unwanted side-effects of raising VM_MIN_ADDRESS?
- Should I file a PR to get this into FreeBSD?
Lemme know,
Pieter
More information about the freebsd-security
mailing list