tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

re: UVM and the NULL page



> There was a bunch of fuss before about being able to "fool" UVM into
> mapping at address 0 in spite of this supposedly being disabled; for
> some reason the "fix" was to bodge around it rather than to fix UVM to
> honor its specification, which I don't understand. If you can fool UVM
> into mapping user stuff at 0, what guarantee do you have that you
> can't fool UVM into mapping user stuff over the kernel?

it's not about fooling UVM.  it's about finding a bug somewhere
in the kernel where it would access address zero (or anything in
the first page, as an offset from zero.)

on platforms that share address spaces if the user can map page
zero, then they can cause these kernel bugs to access the user
provided data.  for data accesses, that might be enough to force
a process to have its cred uid changed to zero.  or text accesses,
it's clearly very easy to trigger whatever you want.

the workaround -- disabling mapping page 0 -- means that if there
is a bug like mentioned above, it will lead to a page fault panic
instead of a compromise.  slightly less bad.. much less bad from
a security POV.


.mrg.


Home | Main Index | Thread Index | Old Index