Date: Tue, 15 Sep 2009 08:58:20 -0500 From: Jon Passki <jon@passki.us> To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org, Pieter de Boer <pieter@thedarkside.nl> Subject: Re: Protecting against kernel NULL-pointer derefs Message-ID: <ece944060909150658u24f2f93aycf9a9d6b829f5a33@mail.gmail.com> In-Reply-To: <86ab0w2z05.fsf@ds4.des.no> References: <4AAF4A64.3080906@thedarkside.nl> <86ab0w2z05.fsf@ds4.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/9/15 Dag-Erling Sm=F8rgrav <des@des.no> > > Pieter de Boer <pieter@thedarkside.nl> writes: > > Given the amount of NULL-pointer dereference vulnerabilities in the > > FreeBSD kernel that have been discovered of late, > > Specify "amount" and define "of late". > > > By disallowing userland to map pages at address 0x0 (and a bit beyond), > > it is possible to make such NULL-pointer deref bugs mere DoS'es instead > > of code execution bugs. Linux has implemented such a protection for a > > long while now, by disallowing page mappings on 0x0 - 0xffff. > > Yes, that really worked out great for them: > > http://isc.sans.org/diary.html?storyid=3D6820 As I assume you know, one reason (not the only reason) the exploit works is because the SELinux default policy allowed (allows?) users to map at NULL, regardless of the protections offered by the OS (e.g. Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux another way by downgrading protection by going into libselinux and uses a context such as wine_t to execute at NULL [1]. It's not that mmap_min_addr failed (which it doesn't on some distros of Linux); it's that other mechanisms exist that can undo the control put into place. Cheers, Jon Passki [1] http://grsecurity.net/~spender/enlightenment.tgz, exploit.c, pa__init()
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ece944060909150658u24f2f93aycf9a9d6b829f5a33>