Re: mmap zero mapping disallowed (Re: svn commit: r197537 - head/sys/vm])

From: Robert Watson <rwatson_at_FreeBSD.org>
Date: Sun, 27 Sep 2009 17:35:20 +0100 (BST)
On Sun, 27 Sep 2009, Simon L. Nielsen wrote:

> As mentioned in the commit message FreeBSD 9 / head now does not allow 
> mmap'ing at zero by default, and this may break some apps.
>
> If anyone encounters applications which break because of this change, please 
> let report it so we can see if it can be fixed.  It might not be possible to 
> fix some applications, but we at least would know which applications might 
> need a special note in the documentation.

There are probably some other ways to arrange mappings at 0x0, so we'll need 
to dig through the system to identify them.  To mind, the various executable 
image activators are interesting (elf, a.out, etc), but we should check other 
things that call VM insertion routines -- things like the more interesting 3D 
device drivers.  At the end of the day, this is a mitigation technique, so if 
there are edge case non-default compiled copmonents, etc, that's fine, but it 
would be nice to be thorough where we can.

While our automatic address selection code ever pick 0x0 as a mapping address, 
btw?

Robert N M Watson
Computer Laboratory
University of Cambridge


>
> ----- Forwarded message from "Simon L. Nielsen" <simon_at_FreeBSD.org> -----
>
> Date: Sun, 27 Sep 2009 14:49:51 +0000 (UTC)
> From: "Simon L. Nielsen" <simon_at_FreeBSD.org>
> To: src-committers_at_freebsd.org, svn-src-all_at_freebsd.org,
> 	svn-src-head_at_freebsd.org
> Subject: svn commit: r197537 - head/sys/vm
>
> Author: simon
> Date: Sun Sep 27 14:49:51 2009
> New Revision: 197537
> URL: http://svn.freebsd.org/changeset/base/197537
>
> Log:
>  Do not allow mmap with the MAP_FIXED argument to map at address zero.
>  This is done to make it harder to exploit kernel NULL pointer security
>  vulnerabilities.  While this of course does not fix vulnerabilities,
>  it does mitigate their impact.
>
>  Note that this may break some applications, most likely emulators or
>  similar, which for one reason or another require mapping memory at
>  zero.
>
>  This restriction can be disabled with the security.bsd.mmap_zero
>  sysctl variable.
>
>  Discussed with:	rwatson, bz
>  Tested by:	bz (Wine), simon (VirtualBox)
>  Submitted by:	jhb
>
> Modified:
>  head/sys/vm/vm_mmap.c
>
> [...]
>
> ----- End forwarded message -----
>
> -- 
> Simon L. Nielsen
> Hat: FreeBSD Security Team
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>
Received on Sun Sep 27 2009 - 14:35:21 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:56 UTC