Date: Tue, 15 Sep 2009 14:24:21 +0200 From: Pieter de Boer <pieter@thedarkside.nl> To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= <des@des.no> Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs Message-ID: <4AAF8775.7000002@thedarkside.nl> In-Reply-To: <86ab0w2z05.fsf@ds4.des.no> References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
Dag-Erling Smørgrav wrote: >> Given the amount of NULL-pointer dereference vulnerabilities in the >> FreeBSD kernel that have been discovered of late, > Specify "amount" and define "of late". 'amount' => 2, 'of late' is more figure of speech than anything else. For me, amount was high enough to get interested and 'of late' may be because I've not been looking long enough. >> By disallowing userland to map pages at address 0x0 (and a bit beyond), >> it is possible to make such NULL-pointer deref bugs mere DoS'es instead >> of code execution bugs. Linux has implemented such a protection for a >> long while now, by disallowing page mappings on 0x0 - 0xffff. > > Yes, that really worked out great for them: > > http://isc.sans.org/diary.html?storyid=6820 I was aware of that issue, and was expecting your comment as well. While SELinux (and iirc SysV compatibility) effectively killed the "don't map at 0x0" feature, that does not mean such a feature is useless in of itself. If it is possible to attain a high enough level of confidence that such a feature would actually work, without negative side-effects, I feel that it would be beneficial to FreeBSD. I'd be interested in hearing your and other's opinions, specifically on the topics my original questions hinted at. -- Pieter
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4AAF8775.7000002>