Le 06/08/2016 à 17:13, Maxime Villard a écrit :
Module Name: src Committed By: maxv Date: Sat Aug 6 15:13:14 UTC 2016 Modified Files: src/sys/compat/linux32/common: linux32_exec_elf32.c src/sys/compat/netbsd32: netbsd32_exec_aout.c netbsd32_exec_elf32.c src/sys/kern: kern_exec.c src/sys/sys: exec.h src/sys/uvm: uvm_map.c Log Message: The way the kernel tries to prevent a userland process from allocating page zero is hugely flawed. It is easy to demonstrate that one can trick UVM into chosing a NULL hint after the user_va0_disable check from uvm_map.
*choosing
Such a bypass allows kernel NULL pointer dereferences to be exploitable on architectures with a shared userland<->kernel VA, like amd64. Fix this by increasing the limit of the vm space made available for userland processes. This way, UVM will never chose a NULL hint, since it
*choose