Re: UVM and the NULL page

[David Laight <david%l8s.co.uk@localhost>]

On Mon, Aug 01, 2016 at 03:56:01PM +0000, Eduardo Horvath wrote:
> On Sat, 30 Jul 2016, Thor Lancelot Simon wrote:
> 
> > 1) amd64 partially shares VA space between the kernel and userland.  It
> >    is not unique in this but most architectures do not.
> 
> FWIW all the pmaps I worked on have split user/kernel address spaces and 
> do not share this vulnerability.

Wakes up...

You've worked on a strange set of cpus then.
Any cpu that doesn't require special instructions for copyin/out
is susceptible to user processes mapping code to address 0 and
converting a kernel 'jump through unset pointer' from a panic
into a massive security hole (executing process code with the
'supervisor' bit set).

The only reason I know for mapping address zero would be to run
exectables for very old emulations where the program entry point
was zero. There might be sine old 68000 ones.

ISTR that wine is actually mapping 'everywhere' in order to ensure
the addresses it needs later can be made available by unmapping
specific ranges.

Anyway mmap() without MAP_FIXED should never return NULL.
Even if technically allowed by the standard.
If nothing else I think the compiler is allowed to assumes
that NULL is special and generate 'unexpected' code.

	David

-- 
David Laight: david%l8s.co.uk@localhost