Subject: mmap(), security and /dev/zero
To: Jason Thorpe <>
From: Jonathan Stone <>
List: tech-kern
Date: 06/21/2004 16:47:37
Apropos of discussion of mmap(), security, non-executable mappings,
usw, and not necessarily tied to Jason's last comment; it just happens
to be a better starting point for a draft I had half-done:

>The /dev/zero hack originated from SunOS ... it didn't have the 
>MAP_ANON flag, but rather retrofitted anonymous memory mapping into its 
>VM system by adding the /dev/zero hack.  Subsequent BSD systems have 
>retained that hack for compatibility, since some applications grew to 
>rely on it.

... including possibly the requirement to have /dev/zero for anon maps?

If memory serves, some three of four years back, Thor observed that
chroot jails (sensu NetBSD, not FreeBSD jails) for flash-based
embedded systems still needed /dev/zero, which meant you couldn't use
a filesystem mounted with nodev for the chroot jail.
IIRC, Thor suggested the following:

 * writable filesystems mounted noexec, nodev,
 * executable filesystems mounted readonly

but noted there was still a potential hole: if the attacker could
create a shared library in one of the writable filesystms, then play
with LD_LIBRARY_PATH or LD_PRELOAD to force some existing executable
to run that shared library.

So two questions: 

1. Assuming non-executable mappings correctly honour noexec mounts,
   the hole Thor noted is now fixed, correct? Do we have a regression
   suite to check for that?

2.  ISTR our ld.elf_so doesn't require /dev/zero. What else (if anything)
    needs /dev/zero? Or /dev/null?  Is it feasible to set up a
    chroot directory without any /dev/ entries at all?