PERFORCE change 166430 for review
John Baldwin
jhb at freebsd.org
Mon Jul 27 13:34:27 UTC 2009
On Sunday 26 July 2009 5:42:49 am Robert Watson wrote:
> On Fri, 24 Jul 2009, John Baldwin wrote:
>
> > On Thursday 23 July 2009 1:37:41 am Jonathan Anderson wrote:
> >> http://perforce.freebsd.org/chv.cgi?CH=166430
> >>
> >> Change 166430 by jona at jona-trustedbsd-belle-vmware on 2009/07/23 05:36:50
> >>
> >> mmap() can fail and return MAP_FAILED, not just NULL\!
> >
> > MAP_FAILED is actually the only invalid pointer it will return. This should
> > probably not be checking for NULL.
>
> NULL is actually a valid place to map a page, and therefore can be returned by
> a successful mapping. In fact, this has been a key requirement for exploiting
> a number of recent Linux (and one FreeBSD) kernel security vulnerabilities, in
> which a NULL function pointer is dereferenced by the kernel without properly
> checking first. If userspace maps kernel exploit code at NULL or a suitable
> relative offset, that code will run with kernel privilege.
Ah, I did not realize the NULL check was a security check rather than a
correctness check.
--
John Baldwin
More information about the p4-projects
mailing list