Date: Sun, 26 Jul 2009 10:42:49 +0100 (BST) From: Robert Watson <rwatson@FreeBSD.org> To: John Baldwin <jhb@freebsd.org> Cc: Perforce Change Reviews <perforce@freebsd.org>, Jonathan Anderson <jona@freebsd.org> Subject: Re: PERFORCE change 166430 for review Message-ID: <alpine.BSF.2.00.0907261041150.17422@fledge.watson.org> In-Reply-To: <200907240943.08676.jhb@freebsd.org> References: <200907230537.n6N5bfaM064484@repoman.freebsd.org> <200907240943.08676.jhb@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 24 Jul 2009, John Baldwin wrote: > On Thursday 23 July 2009 1:37:41 am Jonathan Anderson wrote: >> http://perforce.freebsd.org/chv.cgi?CH=166430 >> >> Change 166430 by jona@jona-trustedbsd-belle-vmware on 2009/07/23 05:36:50 >> >> mmap() can fail and return MAP_FAILED, not just NULL\! > > MAP_FAILED is actually the only invalid pointer it will return. This should > probably not be checking for NULL. NULL is actually a valid place to map a page, and therefore can be returned by a successful mapping. In fact, this has been a key requirement for exploiting a number of recent Linux (and one FreeBSD) kernel security vulnerabilities, in which a NULL function pointer is dereferenced by the kernel without properly checking first. If userspace maps kernel exploit code at NULL or a suitable relative offset, that code will run with kernel privilege. Robert
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.0907261041150.17422>