From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail137.messagelabs.com (mail137.messagelabs.com [216.82.249.19]) by kanga.kvack.org (Postfix) with SMTP id 38DF26B004D for ; Sun, 7 Jun 2009 06:04:11 -0400 (EDT) Date: Sun, 7 Jun 2009 12:29:11 +0200 From: Pavel Machek Subject: Re: Security fix for remapping of page 0 (was [PATCH] Change ZERO_SIZE_PTR to point at unmapped space) Message-ID: <20090607102910.GA1592@ucw.cz> References: <20090530192829.GK6535@oblivion.subreption.com> <20090530230022.GO6535@oblivion.subreption.com> <20090531022158.GA9033@oblivion.subreption.com> <20090602203405.GC6701@oblivion.subreption.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: owner-linux-mm@kvack.org To: Christoph Lameter Cc: "Larry H." , Linus Torvalds , linux-mm@kvack.org, Alan Cox , Rik van Riel , linux-kernel@vger.kernel.org, pageexec@freemail.hu List-ID: Hi! > Ok. So what we need to do is stop this toying around with remapping of > page 0. The following patch contains a fix and a test program that > demonstrates the issue. > > > Subject: [Security] Do not allow remapping of page 0 via MAP_FIXED > > If one remaps page 0 then the kernel checks for NULL pointers of various > flavors are bypassed and this may be exploited in various creative ways > to transfer data from kernel space to user space. Yes, mmap() at page zero 0 makes exploits harder; and yes disabling it may be useful (but we tried that before, see Alan's comment). But that does not it mean it deserves _security_ label. Call it robustness or something.... Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe, send a message with 'unsubscribe linux-mm' in the body to majordomo@kvack.org. For more info on Linux MM, see: http://www.linux-mm.org/ . Don't email: email@kvack.org