Re: UVM and the NULL page

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: UVM and the NULL page
From: Martin Husemann <martin%duskware.de@localhost>
Date: Sat, 30 Jul 2016 12:54:56 +0200

On Sat, Jul 30, 2016 at 11:12:57AM +0200, Maxime Villard wrote:
> You know - as well as I do - that NULL pointer dereferences are quite 
> common,
> and that it is the main way to execute malicious code in kernel mode. 

Sorry, but you are not making your point very clear, please try to explain
in more details!

Many people are more familiar with sane architectures where userland and
kernel do not share any VA mappings.

Now what I understood is you worry about shared VA architectures like x86,
where the 0 page is not usually mapped by the kernel for netbsd binaries.
But the code trying to prevent a userland mmap() call to map a page at
VA 0 is buggy, and the userland code could even trick the kernel into
mapping at that VA with exec permissions.

This is all unrelated (I think, but am not sure) to all other uses of the 0 VA
page by emulation or architecture specific code (i.e. the arm case mentioned).

It is also slightly unrelated to the Wine case, where VA 0 is explicitly 
requested (and either denied or granted depending on the sysctl), since
fixing the bug would still allow an explicit VA 0 mapping if allowed
and granted.

Did I understand that correct?

Martin

Follow-Ups:
- Re: UVM and the NULL page
  - From: Maxime Villard

References:
- UVM and the NULL page
  - From: Maxime Villard
- Re: UVM and the NULL page
  - From: Pierre Pronchery
- Re: UVM and the NULL page
  - From: Maxime Villard
- Re: UVM and the NULL page
  - From: Joerg Sonnenberger
- Re: UVM and the NULL page
  - From: Maxime Villard

Prev by Date: Re: UVM and the NULL page
Next by Date: Re: UVM and the NULL page
Previous by Thread: Re: UVM and the NULL page
Next by Thread: Re: UVM and the NULL page
Indexes:

Home | Main Index | Thread Index | Old Index