Protecting against kernel NULL-pointer derefs
Robert Watson
rwatson at FreeBSD.org
Sun Sep 27 18:39:13 UTC 2009
On Tue, 15 Sep 2009, Pieter de Boer wrote:
> Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD
> kernel that have been discovered of late, I've started looking at a way to
> generically protect against the code execution possibilities of such bugs.
>
> By disallowing userland to map pages at address 0x0 (and a bit beyond), it
> is possible to make such NULL-pointer deref bugs mere DoS'es instead of code
> execution bugs. Linux has implemented such a protection for a long while
> now, by disallowing page mappings on 0x0 - 0xffff.
>
> On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536
> downgrades a whole class of code execution vulnerabilities to DoS
> vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM.
> This made at least the mmap() method to map at 0x0 fail.
FYI, changes are now going into head to implement this policy, although by
slightly different mechanisms. I expect to see them merged to various
branches, and also to active security branches (although disabled there by
default using a sysctl so as not to disturb existing setups unless desired by
the administrator).
Robert
>
> So:
> - How do you feel about disallowing such mappings to protect against
> NULL-pointer deref code executions?
> - Is bumping VM_MIN_ADDRESS enough to protect against all methods of
> creating such mappings (on all supported platforms)?
> - Are there unwanted side-effects of raising VM_MIN_ADDRESS?
> - Should I file a PR to get this into FreeBSD?
>
> Lemme know,
> Pieter
>
>
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
More information about the freebsd-security
mailing list