From owner-freebsd-security@FreeBSD.ORG Tue Sep 15 12:24:23 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 64339106566C for ; Tue, 15 Sep 2009 12:24:23 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 2E8BC8FC0C for ; Tue, 15 Sep 2009 12:24:23 +0000 (UTC) Received: from [88.159.10.42] (unknown [88.159.10.42]) by mail.thelostparadise.com (Postfix) with ESMTP id 2F43261C4B; Tue, 15 Sep 2009 14:24:22 +0200 (CEST) Message-ID: <4AAF8775.7000002@thedarkside.nl> Date: Tue, 15 Sep 2009 14:24:21 +0200 From: Pieter de Boer MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no> In-Reply-To: <86ab0w2z05.fsf@ds4.des.no> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Sep 2009 12:24:23 -0000 Dag-Erling Smørgrav wrote: >> Given the amount of NULL-pointer dereference vulnerabilities in the >> FreeBSD kernel that have been discovered of late, > Specify "amount" and define "of late". 'amount' => 2, 'of late' is more figure of speech than anything else. For me, amount was high enough to get interested and 'of late' may be because I've not been looking long enough. >> By disallowing userland to map pages at address 0x0 (and a bit beyond), >> it is possible to make such NULL-pointer deref bugs mere DoS'es instead >> of code execution bugs. Linux has implemented such a protection for a >> long while now, by disallowing page mappings on 0x0 - 0xffff. > > Yes, that really worked out great for them: > > http://isc.sans.org/diary.html?storyid=6820 I was aware of that issue, and was expecting your comment as well. While SELinux (and iirc SysV compatibility) effectively killed the "don't map at 0x0" feature, that does not mean such a feature is useless in of itself. If it is possible to attain a high enough level of confidence that such a feature would actually work, without negative side-effects, I feel that it would be beneficial to FreeBSD. I'd be interested in hearing your and other's opinions, specifically on the topics my original questions hinted at. -- Pieter