svn commit: r197537 - head/sys/vm

Julian Elischer julian at elischer.org
Sun Sep 27 18:54:09 UTC 2009 

Simon L. Nielsen wrote:
> Author: simon
> Date: Sun Sep 27 14:49:51 2009
> New Revision: 197537
> URL: http://svn.freebsd.org/changeset/base/197537
> 
> Log:
>   Do not allow mmap with the MAP_FIXED argument to map at address zero.
>   This is done to make it harder to exploit kernel NULL pointer security
>   vulnerabilities.  While this of course does not fix vulnerabilities,
>   it does mitigate their impact.
>   
>   Note that this may break some applications, most likely emulators or
>   similar, which for one reason or another require mapping memory at
>   zero.

If you are going to take this approach then it shuel be enabled by
a bit in the inherrited process permissions, with a toll to set it,
like:

map0 {command}
where command could be something like "wine".
use setfib or nice as a template for the tool.

this way only processes that need it are affected.


>   
>   This restriction can be disabled with the security.bsd.mmap_zero
>   sysctl variable.
>   
>   Discussed with:	rwatson, bz
>   Tested by:	bz (Wine), simon (VirtualBox)
>   Submitted by:	jhb
> 
> Modified:
>   head/sys/vm/vm_mmap.c
> 
> Modified: head/sys/vm/vm_mmap.c
> ==============================================================================
> --- head/sys/vm/vm_mmap.c	Sun Sep 27 14:00:16 2009	(r197536)
> +++ head/sys/vm/vm_mmap.c	Sun Sep 27 14:49:51 2009	(r197537)
> @@ -97,6 +97,14 @@ SYSCTL_INT(_vm, OID_AUTO, max_proc_mmap,
>      "Maximum number of memory-mapped files per process");
>  
>  /*
> + * 'mmap_zero' determines whether or not MAP_FIXED mmap() requests for
> + * virtual address zero are permitted.
> + */
> +static int mmap_zero;
> +SYSCTL_INT(_security_bsd, OID_AUTO, mmap_zero, CTLFLAG_RW, &mmap_zero, 0,
> +    "Processes may map an object at virtual address zero");
> +
> +/*
>   * Set the maximum number of vm_map_entry structures per process.  Roughly
>   * speaking vm_map_entry structures are tiny, so allowing them to eat 1/100
>   * of our KVM malloc space still results in generous limits.  We want a
> @@ -229,7 +237,8 @@ mmap(td, uap)
>  	pos = uap->pos;
>  
>  	fp = NULL;
> -	/* make sure mapping fits into numeric range etc */
> +
> +	/* Make sure mapping fits into numeric range, etc. */
>  	if ((uap->len == 0 && !SV_CURPROC_FLAG(SV_AOUT) &&
>  	     curproc->p_osrel >= 800104) ||
>  	    ((flags & MAP_ANON) && uap->fd != -1))
> @@ -267,6 +276,14 @@ mmap(td, uap)
>  		addr -= pageoff;
>  		if (addr & PAGE_MASK)
>  			return (EINVAL);
> +
> +		/*
> +		 * Mapping to address zero is only permitted if
> +		 * mmap_zero is enabled.
> +		 */
> +		if (addr == 0 && !mmap_zero)
> +			return (EINVAL);
> +
>  		/* Address range must be all in user VM space. */
>  		if (addr < vm_map_min(&vms->vm_map) ||
>  		    addr + size > vm_map_max(&vms->vm_map))

More information about the svn-src-all mailing list