Protecting against kernel NULL-pointer derefs
Pieter de Boer
pieter at thedarkside.nl
Tue Sep 15 12:24:23 UTC 2009
Dag-Erling Smørgrav wrote:
>> Given the amount of NULL-pointer dereference vulnerabilities in the
>> FreeBSD kernel that have been discovered of late,
> Specify "amount" and define "of late".
'amount' => 2, 'of late' is more figure of speech than anything else.
For me, amount was high enough to get interested and 'of late' may be
because I've not been looking long enough.
>> By disallowing userland to map pages at address 0x0 (and a bit beyond),
>> it is possible to make such NULL-pointer deref bugs mere DoS'es instead
>> of code execution bugs. Linux has implemented such a protection for a
>> long while now, by disallowing page mappings on 0x0 - 0xffff.
>
> Yes, that really worked out great for them:
>
> http://isc.sans.org/diary.html?storyid=6820
I was aware of that issue, and was expecting your comment as well. While
SELinux (and iirc SysV compatibility) effectively killed the "don't map
at 0x0" feature, that does not mean such a feature is useless in of
itself. If it is possible to attain a high enough level of confidence
that such a feature would actually work, without negative side-effects,
I feel that it would be beneficial to FreeBSD.
I'd be interested in hearing your and other's opinions, specifically on
the topics my original questions hinted at.
--
Pieter
More information about the freebsd-security
mailing list