Re: Protecting against kernel NULL-pointer derefs

Dag-Erling Smørgrav wrote:

Given the amount of NULL-pointer dereference vulnerabilities in the
FreeBSD kernel that have been discovered of late,
Specify "amount" and define "of late".
'amount' => 2, 'of late' is more figure of speech than anything else. For me, amount was high enough to get interested and 'of late' may be because I've not been looking long enough.

By disallowing userland to map pages at address 0x0 (and a bit beyond),
it is possible to make such NULL-pointer deref bugs mere DoS'es instead
of code execution bugs. Linux has implemented such a protection for a
long while now, by disallowing page mappings on 0x0 - 0xffff.

Yes, that really worked out great for them:

http://isc.sans.org/diary.html?storyid=6820
I was aware of that issue, and was expecting your comment as well. While SELinux (and iirc SysV compatibility) effectively killed the "don't map at 0x0" feature, that does not mean such a feature is useless in of itself. If it is possible to attain a high enough level of confidence that such a feature would actually work, without negative side-effects, I feel that it would be beneficial to FreeBSD.

I'd be interested in hearing your and other's opinions, specifically on the topics my original questions hinted at.

--
Pieter
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"

Relevant Pages