Current-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: HEADS UP: user address 0 mapping disabled



Matthias Drochner wrote:
Hi -

as you might remember from some press coverage and
discussion end of last year, allowing a userspace
program to map virtual address 0 is a security
risk on some CPU architectures. i386 and amd64 are
affected.
The risk is that it allows to inject code or data
into the kernel address space, at the kernel's
virtual address 0. It still needs a kernel bug
which makes it access code or data at NULL.
While I'm not aware of one, it is highly likely
that it exists, just because there is nothing like
100% correct code.

So I've just changed the kernel to disallow user
mappings of address 0 in the default case. This
affects use of mmap() and execution of binaries
which want to load text or data into the first
page. Native NetBSD code is not affected, so in
all common use cases the system should work
as before.
Programs which make use of the i386's "VM86"
mode (DOS emulators), and binary emulations for
ancient object formats might stop working.

Just for the record, in case someone's interested in picking this up at
some point in the future, there's PaX UDEREF:

        http://grsecurity.net/~spender/uderef.txt

(Summary at the top, ~3 years old performance tests around the bottom.)

-e.


Home | Main Index | Thread Index | Old Index