re: UVM and the NULL page

To: David Holland <dholland-tech%netbsd.org@localhost>
Subject: re: UVM and the NULL page
From: matthew green <mrg%eterna.com.au@localhost>
Date: Wed, 28 Dec 2016 16:23:27 +1100

> There was a bunch of fuss before about being able to "fool" UVM into
> mapping at address 0 in spite of this supposedly being disabled; for
> some reason the "fix" was to bodge around it rather than to fix UVM to
> honor its specification, which I don't understand. If you can fool UVM
> into mapping user stuff at 0, what guarantee do you have that you
> can't fool UVM into mapping user stuff over the kernel?

it's not about fooling UVM.  it's about finding a bug somewhere
in the kernel where it would access address zero (or anything in
the first page, as an offset from zero.)

on platforms that share address spaces if the user can map page
zero, then they can cause these kernel bugs to access the user
provided data.  for data accesses, that might be enough to force
a process to have its cred uid changed to zero.  or text accesses,
it's clearly very easy to trigger whatever you want.

the workaround -- disabling mapping page 0 -- means that if there
is a bug like mentioned above, it will lead to a page fault panic
instead of a compromise.  slightly less bad.. much less bad from
a security POV.


.mrg.

References:
- Re: UVM and the NULL page
  - From: David Holland

Prev by Date: Re: spurious DIAGNOSTIC message "no disk label"
Next by Date: Re: kernel panic on ibm4xx-based powerpc box with DDB
Previous by Thread: Re: UVM and the NULL page
Next by Thread: Re: UVM and the NULL page
Indexes:

Home | Main Index | Thread Index | Old Index