Protecting against kernel NULL-pointer derefs
Jon Passki
jon at passki.us
Tue Sep 15 14:20:44 UTC 2009
2009/9/15 Dag-Erling Smørgrav <des at des.no>
>
> Pieter de Boer <pieter at thedarkside.nl> writes:
> > Given the amount of NULL-pointer dereference vulnerabilities in the
> > FreeBSD kernel that have been discovered of late,
>
> Specify "amount" and define "of late".
>
> > By disallowing userland to map pages at address 0x0 (and a bit beyond),
> > it is possible to make such NULL-pointer deref bugs mere DoS'es instead
> > of code execution bugs. Linux has implemented such a protection for a
> > long while now, by disallowing page mappings on 0x0 - 0xffff.
>
> Yes, that really worked out great for them:
>
> http://isc.sans.org/diary.html?storyid=6820
As I assume you know, one reason (not the only reason) the exploit
works is because the SELinux default policy allowed (allows?) users to
map at NULL, regardless of the protections offered by the OS (e.g.
Redhat w/ mmap_min_addr). His later exploit framework abuses SELinux
another way by downgrading protection by going into libselinux and
uses a context such as wine_t to execute at NULL [1]. It's not that
mmap_min_addr failed (which it doesn't on some distros of Linux); it's
that other mechanisms exist that can undo the control put into place.
Cheers,
Jon Passki
[1] http://grsecurity.net/~spender/enlightenment.tgz, exploit.c, pa__init()
More information about the freebsd-security
mailing list