All, Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD kernel that have been discovered of late, I've started looking at a way to generically protect against the code execution possibilities of such bugs. By disallowing userland to map pages at address 0x0 (and a bit beyond), it is possible to make such NULL-pointer deref bugs mere DoS'es instead of code execution bugs. Linux has implemented such a protection for a long while now, by disallowing page mappings on 0x0 - 0xffff. On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 downgrades a whole class of code execution vulnerabilities to DoS vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. This made at least the mmap() method to map at 0x0 fail. So: - How do you feel about disallowing such mappings to protect against NULL-pointer deref code executions? - Is bumping VM_MIN_ADDRESS enough to protect against all methods of creating such mappings (on all supported platforms)? - Are there unwanted side-effects of raising VM_MIN_ADDRESS? - Should I file a PR to get this into FreeBSD? Lemme know, Pieter
Pieter de Boer <pieter@thedarkside.nl> writes:> Given the amount of NULL-pointer dereference vulnerabilities in the > FreeBSD kernel that have been discovered of late,Specify "amount" and define "of late".> By disallowing userland to map pages at address 0x0 (and a bit beyond), > it is possible to make such NULL-pointer deref bugs mere DoS'es instead > of code execution bugs. Linux has implemented such a protection for a > long while now, by disallowing page mappings on 0x0 - 0xffff.Yes, that really worked out great for them: http://isc.sans.org/diary.html?storyid=6820 DES -- Dag-Erling Sm?rgrav - des@des.no
Pieter's approach to the problem seems reasonable. If it provides some safety without breaking any/too many applications, why not adopt it? I wonder how many of these kinds of issues could also be caught with unit tests/regression tests. See also: the CanSecWest 2009 FreeBSD bugs by Christer Oberg and Neil Kettle. -- http://www.noncombatant.org/ http://hemiolesque.blogspot.com/
From: Pieter de Boer <pieter@thedarkside.nl> Subject: Protecting against kernel NULL-pointer derefs Date: Tue, 15 Sep 2009 10:03:48 +0200> - Are there unwanted side-effects of raising VM_MIN_ADDRESS?Mapping at address 0x0 is needed by some softwares using vm86 mode. For example, emulators/doscmd uses vm86 mode to emulate an old DOS environment. In this case, the address 0x0 - 0x3ff is used for an interrupt vector of emulated DOS world. If VM_MIN_ADDRESS is not zero, doscmd doesn't work. vm86 mode is in 32bit i386 architecture only, not in amd64 or other architectures. -- Hideki EIRAKU -------------------------------------- Thanks 10 years! Yahoo! Shopping and Yahoo! Auctions http://pr.mail.yahoo.co.jp/ec10years/
On Tue, 15 Sep 2009, Pieter de Boer wrote:> Given the amount of NULL-pointer dereference vulnerabilities in the FreeBSD > kernel that have been discovered of late, I've started looking at a way to > generically protect against the code execution possibilities of such bugs. > > By disallowing userland to map pages at address 0x0 (and a bit beyond), it > is possible to make such NULL-pointer deref bugs mere DoS'es instead of code > execution bugs. Linux has implemented such a protection for a long while > now, by disallowing page mappings on 0x0 - 0xffff. > > On FreeBSD, it appears that simply bumping up VM_MIN_ADDRESS to 65536 > downgrades a whole class of code execution vulnerabilities to DoS > vulnerabilities. I've raised that #define to 65536 on a 6.4-RELEASE i386 VM. > This made at least the mmap() method to map at 0x0 fail.FYI, changes are now going into head to implement this policy, although by slightly different mechanisms. I expect to see them merged to various branches, and also to active security branches (although disabled there by default using a sysctl so as not to disturb existing setups unless desired by the administrator). Robert> > So: > - How do you feel about disallowing such mappings to protect against > NULL-pointer deref code executions? > - Is bumping VM_MIN_ADDRESS enough to protect against all methods of > creating such mappings (on all supported platforms)? > - Are there unwanted side-effects of raising VM_MIN_ADDRESS? > - Should I file a PR to get this into FreeBSD? > > Lemme know, > Pieter > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >