Protecting against kernel NULL-pointer derefs
István
leccine at gmail.com
Tue Sep 15 14:24:42 UTC 2009
hehe this is the "install another security layer to introduce less security"
model
2009/9/15 Jon Passki <jon at passki.us>
> 2009/9/15 Dag-Erling Smørgrav <des at des.no>
> >
> > Pieter de Boer <pieter at thedarkside.nl> writes:
> > > Given the amount of NULL-pointer dereference vulnerabilities in the
> > > FreeBSD kernel that have been discovered of late,
> >
> > Specify "amount" and define "of late".
> >
> > > By disallowing userland to map pages at address 0x0 (and a bit beyond),
> > > it is possible to make such NULL-pointer deref bugs mere DoS'es instead
> > > of code execution bugs. Linux has implemented such a protection for a
> > > long while now, by disallowing page mappings on 0x0 - 0xffff.
> >
> > Yes, that really worked out great for them:
> >
> > http://isc.sans.org/diary.html?storyid=6820
>
> As I assume you know, one reason (not the only reason) the exploit
> works is because the SELinux default policy allowed (allows?) users to
> map at NULL, regardless of the protections offered by the OS (e.g.
> Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux
> another way by downgrading protection by going into libselinux and
> uses a context such as wine_t to execute at NULL [1]. It's not that
> mmap_min_addr failed (which it doesn't on some distros of Linux); it's
> that other mechanisms exist that can undo the control put into place.
>
> Cheers,
>
> Jon Passki
>
> [1] http://grsecurity.net/~spender/enlightenment.tgz<http://grsecurity.net/%7Espender/enlightenment.tgz>,
> exploit.c, pa__init()
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org
> "
>
--
the sun shines for all
More information about the freebsd-security
mailing list