svn commit: r197537 - head/sys/vm
Julian Elischer
julian at elischer.org
Sun Sep 27 18:55:56 UTC 2009
Julian Elischer wrote:
> Simon L. Nielsen wrote:
>> Author: simon
>> Date: Sun Sep 27 14:49:51 2009
>> New Revision: 197537
>> URL: http://svn.freebsd.org/changeset/base/197537
>>
>> Log:
>> Do not allow mmap with the MAP_FIXED argument to map at address zero.
>> This is done to make it harder to exploit kernel NULL pointer security
>> vulnerabilities. While this of course does not fix vulnerabilities,
>> it does mitigate their impact.
>> Note that this may break some applications, most likely emulators or
>> similar, which for one reason or another require mapping memory at
>> zero.
>
> If you are going to take this approach then it shuel be enabled by
> a bit in the inherrited process permissions, with a toll to set it,
> like:
>
> map0 {command}
> where command could be something like "wine".
> use setfib or nice as a template for the tool.
>
> this way only processes that need it are affected.
>
(of course only root can run the program or set the bit)
More information about the svn-src-all
mailing list