diff options
| author | bz <bz@FreeBSD.org> | 2009-10-02 17:48:51 +0000 |
|---|---|---|
| committer | bz <bz@FreeBSD.org> | 2009-10-02 17:48:51 +0000 |
| commit | bc660fe08f5a3fcc675457693dce1aa6f0f38e30 (patch) | |
| tree | 844b39d4c1c05a1f873daf5952cdc516f114880a /sys/kern/kern_exec.c | |
| parent | aba60457db3c753fc3a57a0cd5a47f32159e2815 (diff) | |
| download | FreeBSD-src-bc660fe08f5a3fcc675457693dce1aa6f0f38e30.zip FreeBSD-src-bc660fe08f5a3fcc675457693dce1aa6f0f38e30.tar.gz | |
Add a mitigation feature that will prevent user mappings at
virtual address 0, limiting the ability to convert a kernel
NULL pointer dereference into a privilege escalation attack.
If the sysctl is set to 0 a newly started process will not be able
to map anything in the address range of the first page (0 to PAGE_SIZE).
This is the default. Already running processes are not affected by this.
You can either change the sysctl or the tunable from loader in case
you need to map at a virtual address of 0, for example when running
any of the extinct species of a set of a.out binaries, vm86 emulation, ..
In that case set security.bsd.map_at_zero="1".
Superseeds: r197537
In collaboration with: jhb, kib, alc
Diffstat (limited to 'sys/kern/kern_exec.c')
| -rw-r--r-- | sys/kern/kern_exec.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c index a90968f..033f641 100644 --- a/sys/kern/kern_exec.c +++ b/sys/kern/kern_exec.c @@ -122,6 +122,11 @@ u_long ps_arg_cache_limit = PAGE_SIZE / 16; SYSCTL_ULONG(_kern, OID_AUTO, ps_arg_cache_limit, CTLFLAG_RW, &ps_arg_cache_limit, 0, ""); +static int map_at_zero = 0; +TUNABLE_INT("security.bsd.map_at_zero", &map_at_zero); +SYSCTL_INT(_security_bsd, OID_AUTO, map_at_zero, CTLFLAG_RW, &map_at_zero, 0, + "Permit processes to map an object at virtual address 0."); + static int sysctl_kern_ps_strings(SYSCTL_HANDLER_ARGS) { @@ -999,7 +1004,7 @@ exec_new_vmspace(imgp, sv) int error; struct proc *p = imgp->proc; struct vmspace *vmspace = p->p_vmspace; - vm_offset_t stack_addr; + vm_offset_t sv_minuser, stack_addr; vm_map_t map; u_long ssiz; @@ -1015,13 +1020,17 @@ exec_new_vmspace(imgp, sv) * not disrupted */ map = &vmspace->vm_map; - if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv->sv_minuser && + if (map_at_zero) + sv_minuser = sv->sv_minuser; + else + sv_minuser = MAX(sv->sv_minuser, PAGE_SIZE); + if (vmspace->vm_refcnt == 1 && vm_map_min(map) == sv_minuser && vm_map_max(map) == sv->sv_maxuser) { shmexit(vmspace); pmap_remove_pages(vmspace_pmap(vmspace)); vm_map_remove(map, vm_map_min(map), vm_map_max(map)); } else { - error = vmspace_exec(p, sv->sv_minuser, sv->sv_maxuser); + error = vmspace_exec(p, sv_minuser, sv->sv_maxuser); if (error) return (error); vmspace = p->p_vmspace; |
