Matthias Drochner wrote:
Module Name: src Committed By: drochner Date: Thu Feb 18 14:57:01 UTC 2010 Modified Files: src/sys/uvm: files.uvm uvm_map.c Log Message: Disable mapping of virtual address 0 by user programs per default. This blocks an easy exploit of kernel bugs leading to dereference of a NULL pointer on some architectures (eg i386). The check can be disabled in various ways: -by CPP definitions in machine/types.h (portmaster's choice) -by a kernel config option USER_VA0_DISABLED_DEFAULT=0 -at runtime by sysctl vm.user_va0_disabled (cannot be cleared at securelevel>0)
I was wondering how you achieved that without modifying any of the secmodel code itself, and indeed--
+static int +sysctl_user_va0_disabled(SYSCTLFN_ARGS) +{ + struct sysctlnode node; + int t, error; + + node = *rnode; + node.sysctl_data = &t; + t = user_va0_disabled; + error = sysctl_lookup(SYSCTLFN_CALL(&node)); + if (error || newp == NULL) + return (error); + + /* lower only at securelevel < 1 */ + if (!t && user_va0_disabled && + kauth_authorize_system(l->l_cred, + KAUTH_SYSTEM_CHSYSFLAGS /* XXX */, 0, + NULL, NULL, NULL)) + return EPERM; + + user_va0_disabled = !!t; + return 0; +}
Who's going to take care of that XXX referring to the use of an undocumented action, meant to be used only in file-systems? -e.