[DragonFlyBSD - Submit #2299] Prevent mapping to page 0 on pc32
Venkatesh Srinivas via Redmine
bugtracker-admin at leaf.dragonflybsd.org
Sun Feb 5 01:17:19 PST 2012
Issue #2299 has been updated by Venkatesh Srinivas.
Just some preliminary observations:
1) I'd prefer this be under a sysctl rather than require recompiling a kernel w/ a different VM_MIN_USER_ADDRESS.
2) VM_MIN_USER_ADDRESS is used for a number of other things in kernel; we'd have to look more closely at what this change does to them.
3) The changes to vm_mmap.c above only affect mcontrol and madvise; its not clear to me that changes to madvise() are required -- if you can't create a mapping at zero, there's no reason to check in madvise() that its being applied to 0, as the 'is-there-a-mapping' test will cover that.
I'd rather see something like this in kern_mmap():
* Address range must be all in user VM space and not wrap.
tmpaddr = addr + size;
if (tmpaddr < addr)
if (VM_MAX_USER_ADDRESS > 0 && tmpaddr > VM_MAX_USER_ADDRESS)
if (VM_MIN_USER_ADDRESS > 0 && addr < VM_MIN_USER_ADDRESS)
+ if (addr == NULL && zero_mmap_ok == 0)
+ return (EINVAL);
where zero_mmap_ok comes from a sysctl that defaults to '0'. (this section is under a MAP_FIXED/MAP_TRYFIXED test.
5) fp_mmap() also exists; it is mostly a hacked up clone of kern_mmap. May need to be checked to see if null mappings can be made via checkpoints from it.
Submit #2299: Prevent mapping to page 0 on pc32
Author: Loganaden Velvindron
OpenBSD prevents mapping to page 0 to prevent certain
class of exploits.
It has been reported that it can break Wine.
I tested it on pc32.
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://bugs.dragonflybsd.org/my/account
More information about the Submit