Subject: mmap(), security and /dev/zero
To: Jason Thorpe <firstname.lastname@example.org>
From: Jonathan Stone <email@example.com>
Date: 06/21/2004 16:47:37
Apropos of discussion of mmap(), security, non-executable mappings,
usw, and not necessarily tied to Jason's last comment; it just happens
to be a better starting point for a draft I had half-done:
>The /dev/zero hack originated from SunOS ... it didn't have the
>MAP_ANON flag, but rather retrofitted anonymous memory mapping into its
>VM system by adding the /dev/zero hack. Subsequent BSD systems have
>retained that hack for compatibility, since some applications grew to
>rely on it.
... including possibly the requirement to have /dev/zero for anon maps?
If memory serves, some three of four years back, Thor observed that
chroot jails (sensu NetBSD, not FreeBSD jails) for flash-based
embedded systems still needed /dev/zero, which meant you couldn't use
a filesystem mounted with nodev for the chroot jail.
IIRC, Thor suggested the following:
* writable filesystems mounted noexec, nodev,
* executable filesystems mounted readonly
but noted there was still a potential hole: if the attacker could
create a shared library in one of the writable filesystms, then play
with LD_LIBRARY_PATH or LD_PRELOAD to force some existing executable
to run that shared library.
So two questions:
1. Assuming non-executable mappings correctly honour noexec mounts,
the hole Thor noted is now fixed, correct? Do we have a regression
suite to check for that?
2. ISTR our ld.elf_so doesn't require /dev/zero. What else (if anything)
needs /dev/zero? Or /dev/null? Is it feasible to set up a
chroot directory without any /dev/ entries at all?