PERFORCE change 166430 for review
Robert Watson
rwatson at FreeBSD.org
Sun Jul 26 09:42:51 UTC 2009
On Fri, 24 Jul 2009, John Baldwin wrote:
> On Thursday 23 July 2009 1:37:41 am Jonathan Anderson wrote:
>> http://perforce.freebsd.org/chv.cgi?CH=166430
>>
>> Change 166430 by jona at jona-trustedbsd-belle-vmware on 2009/07/23 05:36:50
>>
>> mmap() can fail and return MAP_FAILED, not just NULL\!
>
> MAP_FAILED is actually the only invalid pointer it will return. This should
> probably not be checking for NULL.
NULL is actually a valid place to map a page, and therefore can be returned by
a successful mapping. In fact, this has been a key requirement for exploiting
a number of recent Linux (and one FreeBSD) kernel security vulnerabilities, in
which a NULL function pointer is dereferenced by the kernel without properly
checking first. If userspace maps kernel exploit code at NULL or a suitable
relative offset, that code will run with kernel privilege.
Robert
More information about the p4-projects
mailing list