Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20110907094335.GA17834@openwall.com>
Date: Wed, 7 Sep 2011 13:43:35 +0400
From: Solar Designer <solar@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: [RFC] x86, mm: start mmap allocation for libs from low addresses

Vasiliy,

On Wed, Sep 07, 2011 at 01:34:11PM +0400, Vasiliy Kulikov wrote:
> On Wed, Sep 07, 2011 at 13:30 +0400, Solar Designer wrote:
> > What if mmap_min_addr set really low, or is even 0?  I think we want to
> > skip low addresses even if processes are permitted to use those.
> > (Permitted does not mean encouraged.)  So how about ASCII_ARMOR_MIN_ADDR
> > 0x19000 (100 KB) when !CONFIG_VM86?
> 
> Are you talking about safety with NULL pointer dereferencing?

Yes.  Besides deliberate attacks, we want inadvertent NULL pointer
dereferences to be detected by the kernel as such.  This wouldn't happen
if the kernel itself happens to map something at NULL in almost every
process just because someone set mmap_min_addr to 0 e.g. to be able to
occasionally run a certain userspace app that needs that.

Then, there may be attack scenarios where the attacker is not able to
invoke mmap() in the process via which the attack on the kernel is
initiated - e.g., some daemon process over which the attacker has only
partial control over a certain protocol.  Thus, low mmap_min_addr
wouldn't be directly exploitable by the attacker, and we shouldn't be
making matters worse with this patch.

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.