From owner-freebsd-security@FreeBSD.ORG Fri Sep 18 21:04:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CAAE1065672 for ; Fri, 18 Sep 2009 21:04:42 +0000 (UTC) (envelope-from pieter@thedarkside.nl) Received: from mail.thelostparadise.com (cl-92.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:5b::2]) by mx1.freebsd.org (Postfix) with ESMTP id 15D7F8FC15 for ; Fri, 18 Sep 2009 21:04:42 +0000 (UTC) Received: from [192.168.1.13] (home [85.145.92.158]) by mail.thelostparadise.com (Postfix) with ESMTP id C967A61C4B; Fri, 18 Sep 2009 23:04:40 +0200 (CEST) Message-ID: <4AB3F5DB.5070304@thedarkside.nl> Date: Fri, 18 Sep 2009 23:04:27 +0200 From: Pieter de Boer User-Agent: Thunderbird 2.0.0.23 (X11/20090907) MIME-Version: 1.0 To: Julian Elischer References: <4AAF4A64.3080906@thedarkside.nl> <20090919.001313.110616099.hdk_2@yahoo.co.jp> <4AB3BEC7.6090409@elischer.org> In-Reply-To: <4AB3BEC7.6090409@elischer.org> X-Enigmail-Version: 0.95.7 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Protecting against kernel NULL-pointer derefs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Sep 2009 21:04:42 -0000 Julian wrote: > The assumption is that the userland and kernel share a memory map. > While we do implement it this way, it is not necessarily needed. > We do it for performance reasons (each user memory map includes an > identical top section that is the kernel space, so that we do not need > to switch memory page arenas (change CR3) when entering the kernel. > However it might be possible to not do this, and in fact on some > hardware it is mandatory to not do this). > > It would require a page table arena switch with each syscall which > would require flushing the TLBs which would be expensive.. > Hmm I guess I've talked myself out of this as a solution.. :-) So, to be able to run VM86 mode or Wine we could make the NULL mapping protection a configurable kernel option, (defaulting to 'on'?), which doscmd/wine users could turn off. A nicer way would be to be able to map 0x0 in userland while having the kernel use its own 0x0 mapping. Possibly there is a way to do that without making context switches very expensive? Partial TLB flushes?? I also wonder how Linux and (possibly) other OS'es handle this; I can imagine it can easily become quite messy resulting in added security issues or insufficient protection. Anyone have pointers to that regard? -- Pieter