Matthias Drochner wrote:
Module Name:    src
Committed By:   drochner
Date:           Thu Feb 18 14:57:01 UTC 2010
Modified Files:
        src/sys/uvm: files.uvm uvm_map.c
Log Message:
Disable mapping of virtual address 0 by user programs per default.
This blocks an easy exploit of kernel bugs leading to dereference
of a NULL pointer on some architectures (eg i386).
The check can be disabled in various ways:
-by CPP definitions in machine/types.h (portmaster's choice)
-by a kernel config option USER_VA0_DISABLED_DEFAULT=0
-at runtime by sysctl vm.user_va0_disabled (cannot be cleared
 at securelevel>0)
I was wondering how you achieved that without modifying any of the secmodel code itself, and indeed--
+static int
+sysctl_user_va0_disabled(SYSCTLFN_ARGS)
+{
+       struct sysctlnode node;
+       int t, error;
+
+       node = *rnode;
+       node.sysctl_data = &t;
+       t = user_va0_disabled;
+       error = sysctl_lookup(SYSCTLFN_CALL(&node));
+       if (error || newp == NULL)
+               return (error);
+
+       /* lower only at securelevel < 1 */
+       if (!t && user_va0_disabled &&
+           kauth_authorize_system(l->l_cred,
+                                  KAUTH_SYSTEM_CHSYSFLAGS /* XXX */, 0,
+                                  NULL, NULL, NULL))
+               return EPERM;
+
+       user_va0_disabled = !!t;
+       return 0;
+}
Who's going to take care of that XXX referring to the use of an undocumented action, meant to be used only in file-systems? -e.